Module io.github.pixee.security
Package io.github.pixee.security.jakarta

Class PathValidator

  • public final class PathValidator
extends java.lang.Object
    This type exposes helper methods that will help defend against Jakarta EE-specific attacks.

    • Constructor Summary

      Constructors 
      Constructor Description
      PathValidator()  

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.lang.String validateDispatcherPath​(java.lang.String path)
      Validates the path argument to javax.servlet.http.HttpServletRequest#getRequestDispatcher(), which could be used to gain access to sensitive assets like configuration files, code files, etc.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • PathValidator

        public PathValidator()

    • Method Detail

      • validateDispatcherPath

        public static java.lang.String validateDispatcherPath​(java.lang.String path)
        Validates the path argument to javax.servlet.http.HttpServletRequest#getRequestDispatcher(), which could be used to gain access to sensitive assets like configuration files, code files, etc. This method only protects against assets that are common amongst all apps, and thus represent easier targets for attackers. If the attacker is using brute force or has insider knowledge, they could still possibly find their way into other sensitive assets.
        Parameters:
        path - an argument to HttpServletRequest#getRequestDispatcher() to validate
        Returns:
        the same String as was passed in
        Throws:
        java.lang.SecurityException - if the path seems to be targeting sensitive Jakarta web application assets