Adobe Experience Manager Sites & More

DanielMa63 · 11/18/25

Greetings,

Our client has asked us to use this tool https://github.com/assetnote/hopgoblin to find and correct possible security issues that are detected in the tools scanner, while i was able to fix some of them, but i have not been able to find a solution for these two

I have tried using the dispatcher filter, but it has not worked

And i have not been able to find out much more about these flags or how to correct them, so any help would be appreciated.

Best Regards and Thanks in advance

Daniel

giuseppebaglio · 11/18/25

Hi @DanielMa63,

I believe the best solution for addressing this alert is to eliminate direct access to the endpoints /bin/querybuilder.json and /bin/querybuilder.feed. For example, you can encapsulate the query within a servlet that strictly controls valid inputs and determines the queries that can be executed.

Although the dispatcher rules prevent external access, if someone gains access to the instances, these APIs could still be exploited. This is why the tool continues to report them.

DanielMa63 · 11/19/25

Hello @giuseppebaglio how do i eliminate direct access to those endpoints, is it simply by creating the servlet?

Best regards

Daniel

giuseppebaglio · 11/19/25

After creating the servlet, locate the sections of your code where those API endpoints are used and replace the calls with the URL for your new servlet.

DanielMa63 · 11/21/25

Hello @giuseppebaglio our code does not really call those endpoints, it seems to just be a check from hopgoblin

After creating the servlet the flag still persists, maybe i did it wrong

Any other idea? Sorry for the trouble

Best Regards

Daniel

manikandan90 · 11/18/25

To effectively mitigate this alert, direct access to the endpoints /bin/querybuilder.json and /bin/querybuilder.feed should be disabled. Instead, implement a custom servlet that encapsulates query execution logic. This servlet must enforce strict input validation and explicitly define the permissible queries to ensure controlled and secure operations.

DanielMa63 · 12/1/25

I tried to do a simple servlet just to check if it would change the response, but it did not work

Any recommendation on how i should implement it?

Best Regards

Daniel

AndySh4 · 12/1/25

One simple approach is to just disable those servlets in the OSGI console at /system/console/components

disable "com.day.cq.search.impl.servlets.QueryBuilderJsonServlet" to disable /bin/querybuilder.json and return a 404 error
disable "com.day.cq.search.ext.impl.servlets.QueryBuilderFeedServlet" to disable /bin/querybuilder.feed and return a 404 error

Manually stopping components is not an ideal approach since those components will restart when AEM is restarted. A more reliable approach is to use the ACS AEM Commons project's "OSGI Component Disabler" feature that lets you disable specific components based on their class name. You can also add a configuration file for the Disabler to your codebase so the unwanted components are disabled in a reliable way.

kautuk_sahni · 12/1/25

@DanielMa63 Just checking in! Were you able to get this resolved? If you found your own solution, sharing the details would be a big help to others who might face the same issue later on. And if one of the replies here helped, whether it fully solved the problem or simply pointed you in the right direction, marking it as accepted makes it much easier for future readers to find. Thanks again for helping close the loop and contributing to the community!

Adobe Experience Manager Sites & More

How to address hopgoblins exposed json and feed for query builder

Kautuk Sahni

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe