Skip to main content

Introduced protections against user-controlled internal request forwarding


ImportanceReview GuidanceRequires Scanning Tool
HIGHMerge Without ReviewNo

This change hardens all ServletRequest#getRequestDispatcher(String) calls against attack.

There is a built-in HTTP method for sending clients to another resource: the client-side redirect. However, the getRequestDispatcher(String) method is unique in that performs a forward which occurs totally within the server-side.

There is some security that usually comes within redirecting users back through the "front door". For instance, attackers could never directly request sensitive resources like /WEB-INF/web.xml. However, this isn't true for request dispatcher forwarding. Therefore, we must take special care that the path being forwarded isn't towards any known sensitive data.

Our change introduces an API that offers some validation against forwards that target sensitive data or attempt to access application code.

+ import static;
+ validateDispatcherPath(path);
request.getRequestDispatcher(path).forward(request, response);