Add directory listing WEBLOGIC, WEBSPHERE and JETTY support (#6871)

Report Directory listing leak when:

<param-name>dirAllowed</param-name> is present in web.xml file (Jetty Servers)
<index-directory-enabled>true</index-directory-enabled> is present in weblogic.xml (WebLogic Servers)
directoryBrowsingEnabled="true" is present in ibm-web-ext.xmi (WebSphere Servers)
<enable-directory-browsing value="true"/> is present in ibm-web-ext.xml (WebSphere Servers)

Author: jandro996

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java

@@ -48,6 +48,12 @@ public class ApplicationModuleImpl extends SinkModuleBase implements Application
       "org.springframework.web.servlet.DispatcherServlet";
   private static final String DEFAULT_HTML_ESCAPE = "defaultHtmlEscape";
   private static final String LISTINGS_PATTERN = "<param-name>listings</param-name>";
+  private static final String JETTY_LISTINGS_PATTERN = "<param-name>dirAllowed</param-name>";
+  private static final String WEBLOGIC_LISTING_PATTERN =
+      "<index-directory-enabled>true</index-directory-enabled>";
+  private static final String WEBSPHERE_XMI_LISTING_PATTERN = "directoryBrowsingEnabled=\"true\"";
+  private static final String WEBSPHERE_XML_LISTING_PATTERN =
+      "<enable-directory-browsing value=\"true\"/>";
   private static final String SESSION_TIMEOUT_START_TAG = "<session-timeout>";
   private static final String SESSION_TIMEOUT_END_TAG = "</session-timeout>";
   private static final String SECURITY_CONSTRAINT_START_TAG = "<security-constraint>";
@@ -64,6 +70,9 @@ public class ApplicationModuleImpl extends SinkModuleBase implements Application
       DISPLAY_NAME_START_TAG + TOMCAT_HOST_MANAGER_APP + DISPLAY_NAME_END_TAG;
   public static final String WEB_INF = "WEB-INF";
   public static final String WEB_XML = "web.xml";
+  public static final String WEBLOGIC_XML = "weblogic.xml";
+  public static final String IBM_WEB_EXT_XMI = "ibm-web-ext.xmi";
+  public static final String IBM_WEB_EXT_XML = "ibm-web-ext.xml";
   static final String SESSION_REWRITING_EVIDENCE_VALUE = "Servlet URL Session Tracking Mode";
 
   private static final Pattern PATTERN =
@@ -75,11 +84,21 @@ public class ApplicationModuleImpl extends SinkModuleBase implements Application
                   TOMCAT_MANAGER_APP_PATTERN,
                   TOMCAT_HOST_MANAGER_APP_PATTERN,
                   LISTINGS_PATTERN,
+                  JETTY_LISTINGS_PATTERN,
                   SESSION_TIMEOUT_START_TAG,
                   SECURITY_CONSTRAINT_START_TAG)
               .map(Pattern::quote)
               .collect(Collectors.joining("|")));
 
+  private static final Pattern WEBLOGIC_PATTERN =
+      Pattern.compile(WEBLOGIC_LISTING_PATTERN, Pattern.CASE_INSENSITIVE);
+
+  private static final Pattern WEBSPHERE_XMI_PATTERN =
+      Pattern.compile(WEBSPHERE_XMI_LISTING_PATTERN, Pattern.CASE_INSENSITIVE);
+
+  private static final Pattern WEBSPHERE_XML_PATTERN =
+      Pattern.compile(WEBSPHERE_XML_LISTING_PATTERN, Pattern.CASE_INSENSITIVE);
+
   private static final int NO_LINE = -1;
 
   public ApplicationModuleImpl(final Dependencies dependencies) {
@@ -103,6 +122,10 @@ public void onRealPath(final @Nullable String realPath) {
     final AgentSpan span = AgentTracer.activeSpan();
     checkInsecureJSPLayout(root, span);
     checkWebXmlVulnerabilities(root, span);
+    // WEBLOGIC
+    checkWeblogicVulnerabilities(root, span);
+    // WEBSPHERE
+    checkWebsphereVulnerabilities(root, span);
   }
 
   /**
@@ -125,8 +148,46 @@ public void checkSessionTrackingModes(@Nonnull Set<String> sessionTrackingModes)
             new Evidence(SESSION_REWRITING_EVIDENCE_VALUE)));
   }
 
-  private void checkWebXmlVulnerabilities(@Nonnull Path path, AgentSpan span) {
-    String webXmlContent = webXmlContent(path);
+  private void checkWebsphereVulnerabilities(@Nonnull final Path path, final AgentSpan span) {
+    checkWebsphereXMLVulnerabilities(path, span);
+    checkWebsphereXMIVulnerabilities(path, span);
+  }
+
+  private void checkWebsphereXMIVulnerabilities(@Nonnull final Path path, final AgentSpan span) {
+    String xmlContent = getXmlContent(path, IBM_WEB_EXT_XMI);
+    if (xmlContent == null) {
+      return;
+    }
+    Matcher matcher = WEBSPHERE_XMI_PATTERN.matcher(xmlContent);
+    while (matcher.find()) {
+      reportDirectoryListingLeak(xmlContent, matcher.start(), span);
+    }
+  }
+
+  private void checkWebsphereXMLVulnerabilities(@Nonnull final Path path, final AgentSpan span) {
+    String xmlContent = getXmlContent(path, IBM_WEB_EXT_XML);
+    if (xmlContent == null) {
+      return;
+    }
+    Matcher matcher = WEBSPHERE_XML_PATTERN.matcher(xmlContent);
+    while (matcher.find()) {
+      reportDirectoryListingLeak(xmlContent, matcher.start(), span);
+    }
+  }
+
+  private void checkWeblogicVulnerabilities(@Nonnull final Path path, final AgentSpan span) {
+    String xmlContent = getXmlContent(path, WEBLOGIC_XML);
+    if (xmlContent == null) {
+      return;
+    }
+    Matcher matcher = WEBLOGIC_PATTERN.matcher(xmlContent);
+    while (matcher.find()) {
+      reportDirectoryListingLeak(xmlContent, matcher.start(), span);
+    }
+  }
+
+  private void checkWebXmlVulnerabilities(@Nonnull final Path path, final AgentSpan span) {
+    String webXmlContent = getXmlContent(path, WEB_XML);
     if (webXmlContent == null) {
       return;
     }
@@ -152,6 +213,7 @@ private void checkWebXmlVulnerabilities(@Nonnull Path path, AgentSpan span) {
           reportAdminConsoleActive(span, TOMCAT_HOST_MANAGER_APP);
           break;
         case LISTINGS_PATTERN:
+        case JETTY_LISTINGS_PATTERN:
           checkDirectoryListingLeak(webXmlContent, matcher.start(), span);
           break;
         case SESSION_TIMEOUT_START_TAG:
@@ -211,14 +273,19 @@ private void checkDirectoryListingLeak(
     int valueLast = webXmlContent.indexOf(PARAM_VALUE_END_TAG, valueIndex);
     String data = substringTrim(webXmlContent, valueIndex, valueLast);
     if (data.equalsIgnoreCase("true")) {
-      report(
-          span,
-          VulnerabilityType.DIRECTORY_LISTING_LEAK,
-          "Directory listings configured",
-          getLine(webXmlContent, index));
+      reportDirectoryListingLeak(webXmlContent, index, span);
     }
   }
 
+  private void reportDirectoryListingLeak(
+      final String webXmlContent, int index, final AgentSpan span) {
+    report(
+        span,
+        VulnerabilityType.DIRECTORY_LISTING_LEAK,
+        "Directory listings configured",
+        getLine(webXmlContent, index));
+  }
+
   private void checkSessionTimeOut(final String webXmlContent, int index, final AgentSpan span) {
     try {
       String innerText =
@@ -288,8 +355,8 @@ private static int getLine(String webXmlContent, int index) {
   }
 
   @Nullable
-  private static String webXmlContent(final Path realPath) {
-    Path path = realPath.resolve(WEB_INF).resolve(WEB_XML);
+  private static String getXmlContent(final Path realPath, final String fileName) {
+    Path path = realPath.resolve(WEB_INF).resolve(fileName);
     if (Files.exists(path)) {
       try {
         return new String(Files.readAllBytes(path), StandardCharsets.UTF_8);

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy

@@ -64,7 +64,10 @@ class ApplicationModuleTest extends IastModuleImplTestBase {
     'application/sessiontimeout/secure'               | null                        | null                                                       | _
     'application/sessiontimeout/insecure'             | SESSION_TIMEOUT             | 'Found vulnerable timeout value: 80'                       | 7
     'application/directorylistingleak/secure'         | null                        | null                                                       | _
-    'application/directorylistingleak/insecure'       | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                            | 14
+    'application/directorylistingleak/insecure/tomcat'| DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                            | 14
+    'application/directorylistingleak/insecure/weblogic'     | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                             | 17
+    'application/directorylistingleak/insecure/websphere/xmi'        | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                             | 1
+    'application/directorylistingleak/insecure/websphere/xml'        | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                             | 10
     'application/adminconsoleactive/secure'           | null                        | null                                                       | _
     'application/adminconsoleactive/insecure/tomcat/manager' | ADMIN_CONSOLE_ACTIVE | ApplicationModuleImpl.TOMCAT_MANAGER_APP                   | NO_LINE
     'application/adminconsoleactive/insecure/tomcat/host'    | ADMIN_CONSOLE_ACTIVE | ApplicationModuleImpl.TOMCAT_HOST_MANAGER_APP              | NO_LINE

dd-java-agent/agent-iast/src/test/resources/application/directorylistingleak/insecure/jetty/WEB-INF/web.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xmlns="http://java.sun.com/xml/ns/javaee"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+         id="WebApp_ID" version="3.0">
+  <servlet>
+    <servlet-name>default</servlet-name>
+    <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
+    <init-param>
+      <param-name>resourceBase</param-name>
+      <param-value>/path/to/your/static/files</param-value>
+    </init-param>
+    <init-param>
+      <param-name>dirAllowed</param-name>
+      <param-value>true</param-value>
+    </init-param>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>default</servlet-name>
+    <url-pattern>/*</url-pattern>
+  </servlet-mapping>
+</web-app>

dd-java-agent/agent-iast/src/test/resources/application/directorylistingleak/insecure/WEB-INF/web.xml renamed to dd-java-agent/agent-iast/src/test/resources/application/directorylistingleak/insecure/tomcat/WEB-INF/web.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app">
+  <container-descriptor>
+    <prefer-web-inf-classes>false</prefer-web-inf-classes>
+    <prefer-application-packages>
+      <package-name>javax.faces.*</package-name>
+      <package-name>com.sun.faces.*</package-name>
+      <package-name>com.bea.faces.*</package-name>
+    </prefer-application-packages>
+
+    <prefer-application-resources>
+      <resource-name>javax.faces.*</resource-name>
+      <resource-name>com.sun.faces.*</resource-name>
+      <resource-name>com.bea.faces.*</resource-name>
+      <resource-name>META-INF/services/javax.servlet.ServletContainerInitializer</resource-name>
+    </prefer-application-resources>
+    <index-directory-enabled>true</index-directory-enabled>
+  </container-descriptor>
+</weblogic-web-app>

dd-java-agent/agent-iast/src/test/resources/application/directorylistingleak/insecure/weblogic/WEB-INF/weblogic.xml

@@ -0,0 +1 @@
+directoryBrowsingEnabled="true"

dd-java-agent/agent-iast/src/test/resources/application/directorylistingleak/insecure/websphere/xmi/WEB-INF/ibm-web-ext.xmi

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-ext xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://websphere.ibm.com/xml/ns/javaee"
+         xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-web-ext_1_0.xsd" version="1.0">
+  <jsp-attribute name="reloadEnabled" value="true"/>
+  <jsp-attribute name="reloadInterval" value="10"/>
+
+  <reload-interval value="3"/>
+  <enable-reloading value="true"/>
+  <enable-file-serving value="false"/>
+  <enable-directory-browsing value="true"/>
+  <enable-serving-servlets-by-class-name value="true" />
+  <pre-compile-jsps value="false"/>
+  <auto-encode-requests value="false"/>
+  <auto-encode-responses value="false"/>
+</web-ext>