Java: Add check for J2EE server directory listing#3595
Java: Add check for J2EE server directory listing#3595aschackmull merged 4 commits intogithub:masterfrom
Conversation
java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
Outdated
Show resolved
Hide resolved
|
Hi @aschackmull, Somehow the check of "Code scanning - action / CodeQL-Build (pull_request)" still failed. The error message seems to indicate CodeQL tried to validate the query as C-Sharp code:
I doubt this error is related to the previously missing ending newline character. How can this issue be fixed? Please advise. Thanks, |
aschackmull
left a comment
There was a problem hiding this comment.
The CodeQL scanning action is a fairly new addition and the failure is unrelated to this PR, so we can disregard it.
|
Thanks @aschackmull a lot for all your help with this PR. |
Enabling directory listing in J2EE application servers introduces the vulnerability of filename and path disclosure, which could allow an attacker to read arbitrary files in the server web directory. This includes application source code and data, as well as credentials for back-end systems.
Directory listing can be enabled via web.xml configuration of J2EE application servers:
This PR adds a CodeQL query to find all insecure web.xml with the listing property set to true.