Rule Definition
The software constructs all or part of a MVC parameters via user-controllable inputs. If an attacker provides a URL with the request parameter matching a sensitive file location, they would be able to view that file, for instance applicationContext.xml, and from there, other .jar or .class files. The latter could used to plan for other attacks and/or gain sensitive information about the application.

Remediation
Assume all input is malicious. Avoid using inputs. If it is not possible, use an "accept known good" input validation strategy, i.e., use stringent white-lists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack. Alternatively, switch to Spring Web Flow.

Violation Code Sample

@RequestMapping(value = "/content", method = RequestMethod.GET)
public ModelAndView getContentFromParam(@RequestParam("page") String page) {
    return new ModelAndView(page);   // VIOLATION, since page is tainted input.
}

Fixed Code Sample

@RequestMapping(value = "/content", method = RequestMethod.GET)
public ModelAndView getContentFromParam(@RequestParam("page") String page) {
    String authorizedPage = isAuthorizedPage(page);    // HINT : configure isAuthorizedPage() as sanitization.
    if (authorizedPage != null)
        return new ModelAndView(authorizedPage);
    return unhautorizedPage(page);
}

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') https://cwe.mitre.org/data/definitions/74.html CWE-552: Files or Directories Accessible to External Parties https://cwe.mitre.org/data/definitions/552.html OWASP Attacks - Full Path Disclosure https://owasp.org/www-community/attacks/Full_Path_Disclosure