Expand my Community achievements bar.

How to address hopgoblins exposed json and feed for query builder

Avatar

Level 2
Level 2
11/18/25 3:29:55 AM

Greetings,

Our client has asked us to use this tool https://github.com/assetnote/hopgoblin to find and correct possible security issues that are detected in the tools scanner, while i was able to fix some of them, but i have not been able to find a solution for these two

DanielMa63_0-1763465132298.png

I have tried using the dispatcher filter, but it has not worked

DanielMa63_1-1763465269961.png

And i have not been able to find out much more about these flags or how to correct them, so any help would be appreciated.

Best Regards and Thanks in advance

Daniel

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Dispatcher Experience Manager Experience Manager as a Cloud Service

Views

173

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
5 Replies

Avatar

Level 10
Level 10
11/18/25 3:40:18 AM

Hi @DanielMa63,  

I believe the best solution for addressing this alert is to eliminate direct access to the endpoints /bin/querybuilder.json and /bin/querybuilder.feed. For example, you can encapsulate the query within a servlet that strictly controls valid inputs and determines the queries that can be executed.

Although the dispatcher rules prevent external access, if someone gains access to the instances, these APIs could still be exploited. This is why the tool continues to report them.

Views

167

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
11/19/25 12:46:23 AM
In response to giuseppebaglio

Hello @giuseppebaglio how do i eliminate direct access to those endpoints, is it simply by creating the servlet?

 

Best regards

Daniel

Views

112

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
11/19/25 12:51:47 AM
In response to DanielMa63

After creating the servlet, locate the sections of your code where those API endpoints are used and replace the calls with the URL for your new servlet.

Views

107

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
11/21/25 2:25:21 AM
In response to giuseppebaglio

Hello @giuseppebaglio  our code does not really call those endpoints, it seems to just be a check from hopgoblin

After creating the servlet the flag still persists, maybe i did it wrong

DanielMa63_1-1763720623379.png

 

Any other idea? Sorry for the trouble

Best Regards

Daniel

Views

26

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
11/18/25 9:40:30 AM

To effectively mitigate this alert, direct access to the endpoints /bin/querybuilder.json and /bin/querybuilder.feed should be disabled. Instead, implement a custom servlet that encapsulates query execution logic. This servlet must enforce strict input validation and explicitly define the permissible queries to ensure controlled and secure operations.

Views

132

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to add async to the clientlibs that are added from the template's page policy. Solved

Views

223

Likes

0

Replies

6
Asset Visibility in AEM Assets and AEM Solved

Views

196

Likes

0

Replies

4
How to create blog for AEM EDS site with Universal Editor

Views

76

Likes

0

Replies

3
Multiple selections from drop down list or list box to text field

Views

167

Likes

0

Replies

6
XDP For a PDF in AEM Forms

Views

126

Likes

0

Replies

8