界: Environment

本节包括的所有内容均与源代码无关,但对所创建产品的安全性仍然至关重要。因为本节涉及的问题与源代码没有直接关系,所以我们将它与其他章节分开。

J2EE Misconfiguration: Excessive Servlet Mappings

Abstract
多个 URL 模式映射到单个 Servlet,这通常表明体系结构欠佳或标准化程度不够。
Explanation
多个 URL 模式映射到单个 Servlet 可能表明 Servlet 执行的函数过多。

示例 1:以下示例将五个 URL 模式映射到单个 Servlet。

<servlet>
    <servlet-class>com.class.MyServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/myservlet</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/helloworld*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/servlet*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/mservlet*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>
References
[1] Sun Microsystems, Inc. Java Servlet Specification 2.4
[2] Standards Mapping - Common Weakness Enumeration CWE ID 398
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.j2ee_misconfiguration_excessive_servlet_mappings