New rule : Detect dynamic JSP Includes #104
Description
Detect jsp include where the source included is dynamically constructed.
Unsafe samples
<jsp:include page="${param.secret_param_page}" /><c:import url="${param.secret_param_page}" />Safe samples
<%@include file="${param.secret_param_page}"%> <!-- file param can not be dynamic--><jsp:include page="header.jsp" /> <!-- static value --><c:import url="header.jsp" /> <!-- static value -->