Add directory listing to some JETTY servers

Author: jandro996

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/ApplicationModuleImpl.java

@@ -48,6 +48,7 @@ public class ApplicationModuleImpl extends SinkModuleBase implements Application
       "org.springframework.web.servlet.DispatcherServlet";
   private static final String DEFAULT_HTML_ESCAPE = "defaultHtmlEscape";
   private static final String LISTINGS_PATTERN = "<param-name>listings</param-name>";
+  private static final String JETTY_LISTINGS_PATTERN = "<param-name>dirAllowed</param-name>";
   private static final String WEBLOGIC_LISTING_PATTERN =
       "<index-directory-enabled>true</index-directory-enabled>";
   private static final String WEBSPHERE_XMI_LISTING_PATTERN = "directoryBrowsingEnabled=\"true\"";
@@ -111,6 +112,7 @@ public class ApplicationModuleImpl extends SinkModuleBase implements Application
                   JETTY_SPEC_APP_PATTERN,
                   JETTY_TEST_APP_PATTERN,
                   LISTINGS_PATTERN,
+                  JETTY_LISTINGS_PATTERN,
                   SESSION_TIMEOUT_START_TAG,
                   SECURITY_CONSTRAINT_START_TAG)
               .map(Pattern::quote)
@@ -250,6 +252,7 @@ private void checkWebXmlVulnerabilities(@Nonnull Path path, AgentSpan span) {
           reportAdminConsoleActive(span, JETTY_TEST_APP);
           break;
         case LISTINGS_PATTERN:
+        case JETTY_LISTINGS_PATTERN:
           checkDirectoryListingLeak(webXmlContent, matcher.start(), span);
           break;
         case SESSION_TIMEOUT_START_TAG:

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/ApplicationModuleTest.groovy

@@ -65,6 +65,7 @@ class ApplicationModuleTest extends IastModuleImplTestBase {
     'application/sessiontimeout/insecure'                            | SESSION_TIMEOUT             | 'Found vulnerable timeout value: 80'                        | 7
     'application/directorylistingleak/secure'                        | null                        | null                                                        | _
     'application/directorylistingleak/insecure/tomcat'               | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                             | 14
+    'application/directorylistingleak/insecure/jetty'                | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                             | 14
     'application/directorylistingleak/insecure/weblogic'             | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                             | 17
     'application/directorylistingleak/insecure/websphere/xmi'        | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                             | 1
     'application/directorylistingleak/insecure/websphere/xml'        | DIRECTORY_LISTING_LEAK      | 'Directory listings configured'                             | 10

dd-java-agent/agent-iast/src/test/resources/application/directorylistingleak/insecure/jetty/WEB-INF/web.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xmlns="http://java.sun.com/xml/ns/javaee"
+         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+         id="WebApp_ID" version="3.0">
+  <servlet>
+    <servlet-name>default</servlet-name>
+    <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-class>
+    <init-param>
+      <param-name>resourceBase</param-name>
+      <param-value>/path/to/your/static/files</param-value>
+    </init-param>
+    <init-param>
+      <param-name>dirAllowed</param-name>
+      <param-value>true</param-value>
+    </init-param>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>default</servlet-name>
+    <url-pattern>/*</url-pattern>
+  </servlet-mapping>
+</web-app>