CodeQL documentation
CodeQL resources

URL forward from a remote source

ID: java/unvalidated-url-forward Kind: path-problem Security severity: 7.5 Severity: error Precision: high Tags: - security - external/cwe/cwe-552 Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Directly incorporating user input into a URL forward request without validating the input can cause file information disclosure by allowing an attacker to access unauthorized URLs.

Recommendation

To guard against untrusted URL forwarding, you should avoid putting user input directly into a forwarded URL. Instead, you should maintain a list of authorized URLs on the server, then choose from that list based on the user input provided.

Example

The following example shows an HTTP request parameter being used directly in a URL forward without validating the input, which may cause file information disclosure. It also shows how to remedy the problem by validating the user input against a known fixed string.

public class UrlForward extends HttpServlet { private static final String VALID_FORWARD = "https://cwe.mitre.org/data/definitions/552.html"; protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletConfig cfg = getServletConfig(); ServletContext sc = cfg.getServletContext(); // BAD: a request parameter is incorporated without validation into a URL forward sc.getRequestDispatcher(request.getParameter("target")).forward(request, response); // GOOD: the request parameter is validated against a known fixed string if (VALID_FORWARD.equals(request.getParameter("target"))) { sc.getRequestDispatcher(VALID_FORWARD).forward(request, response); } } }

References