logo

Database

Scala Unsafe Input Resource Injection

Description

Detects unsafe resource access patterns in Scala Play Framework applications where user-controlled input could be used to access files or resources. This could allow attackers to access unauthorized files or resources through path traversal attacks.

Weakness:

201 - Unauthorized access to files

Category: Access Subversion

Detection Strategy

    Checks if Play Framework MVC components are imported in the code

    Identifies usage of Environment class and captures environment variable references

    Looks for calls to suspicious resource access methods like getFile(), getResource()

    Verifies if method arguments contain or are influenced by user-controlled input

    Reports a vulnerability when suspicious resource access methods are called with potentially tainted input

Vulnerable code example

package controllers

import javax.inject._
import play.api.mvc._
import play.api.Environment

@Singleton
class ResourceController @Inject()(env: Environment, cc: ControllerComponents) extends AbstractController(cc) {...

✅ Secure code example

package controllers

import javax.inject._
import play.api.mvc._
import play.api.Environment

@Singleton
class ResourceController @Inject()(env: Environment, cc: ControllerComponents) extends AbstractController(cc) {...