Rule Definition
The software constructs all or part of a MVC parameters via user-controllable inputs. If an attacker provides a URL with the request parameter matching a sensitive file location, they would be able to view that file, for instance applicationContext.xml, and from there, other .jar or .class files. The latter could used to plan for other attacks and/or gain sensitive information about the application.

Remediation
Assume all input is malicious. Avoid using inputs. If it is not possible, use an "accept known good" input validation strategy, i.e., use stringent white-lists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack. Alternatively, switch to Spring Web Flow.

Violation Code Sample

Struts 1 sample :
    String taintedURL = request.getParameter("taintedURL");
    return new ActionForward(taintedURL);   // VIOLATION, param is tainted

Servlet API sample :
    String taintedURL = request.getParameter("taintedURL");
    RequestDispatcher rd = request.getRequestDispatcher(taintedURL);  // VIOLATION, param is tainted
    rd.forward();

Fixed Code Sample

Struts 1 sample :
    return new ActionForward(hardcodedURL);

Servlet API sample :
    RequestDispatcher rd = request.getRequestDispatcher(hardcodedURL);
    rd.forward();

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') https://cwe.mitre.org/data/definitions/74.html CWE-552: Files or Directories Accessible to External Parties https://cwe.mitre.org/data/definitions/552.html OWASP Attacks - Full Path Disclosure https://owasp.org/www-community/attacks/Full_Path_Disclosure Ryan Berg https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf