How to address hopgoblins exposed json and feed for query builder | Community
Skip to main content
D
DanielMa63
Level 2
November 18, 2025
Question

How to address hopgoblins exposed json and feed for query builder

  • November 18, 2025
  • 2 replies
  • 192 views

Greetings,

Our client has asked us to use this tool https://github.com/assetnote/hopgoblin to find and correct possible security issues that are detected in the tools scanner, while i was able to fix some of them, but i have not been able to find a solution for these two

I have tried using the dispatcher filter, but it has not worked

And i have not been able to find out much more about these flags or how to correct them, so any help would be appreciated.

Best Regards and Thanks in advance

Daniel

2 replies

giuseppebaglio
giuseppebaglio
Level 10
November 18, 2025

Hi @danielma63,  

I believe the best solution for addressing this alert is to eliminate direct access to the endpoints /bin/querybuilder.json and /bin/querybuilder.feed. For example, you can encapsulate the query within a servlet that strictly controls valid inputs and determines the queries that can be executed.

Although the dispatcher rules prevent external access, if someone gains access to the instances, these APIs could still be exploited. This is why the tool continues to report them.

D
DanielMa63Author
Level 2
November 19, 2025

Hello @giuseppebaglio how do i eliminate direct access to those endpoints, is it simply by creating the servlet?

 

Best regards

Daniel

giuseppebaglio
giuseppebaglio
Level 10
November 19, 2025

After creating the servlet, locate the sections of your code where those API endpoints are used and replace the calls with the URL for your new servlet.

    M
    manikandan90
    Level 2
    November 18, 2025

    To effectively mitigate this alert, direct access to the endpoints /bin/querybuilder.json and /bin/querybuilder.feed should be disabled. Instead, implement a custom servlet that encapsulates query execution logic. This servlet must enforce strict input validation and explicitly define the permissible queries to ensure controlled and secure operations.

    Terms & ConditionsAccessibility statement

    Loading footer...