Cleanup Netty Response Splitting Query

2025-12-21 03:06:31 +01:00 · 2022-02-07 10:49:22 -05:00
parent 8ffe878722
commit 03fdee3767
2 changed files with 17 additions and 10 deletions
--- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -10,6 +10,7 @@
 * @id java/netty-http-request-or-response-splitting
 * @tags security
 *       external/cwe/cwe-113
+ *       external/capec/capec-105
 */

 import java
@@ -19,33 +20,34 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
  int vulnerableArgumentIndex;

  InsecureNettyObjectCreation() {
-    DataFlow::localExprFlow(any(CompileTimeConstantExpr ctce | ctce.getBooleanValue() = false), this.getArgument(vulnerableArgumentIndex))
+    DataFlow::localExprFlow(any(CompileTimeConstantExpr ctce | ctce.getBooleanValue() = false),
+      this.getArgument(vulnerableArgumentIndex))
  }

  abstract string splittingType();
 }

 abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
-  override string splittingType() { result = "Request-splitting or response-splitting" }
+  override string splittingType() { result = "Request splitting or response splitting" }
 }

 /**
 * Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection.
 */
 abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
-  override string splittingType() { result = "Request-splitting" }
+  override string splittingType() { result = "Request splitting" }
 }

 /**
 * Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning.
 */
 abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
-  override string splittingType() { result = "Response-splitting" }
+  override string splittingType() { result = "Response splitting" }
 }

 private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation {
  InsecureDefaultHttpHeadersClassInstantiation() {
-    getConstructedType()
+    this.getConstructedType()
        .hasQualifiedName("io.netty.handler.codec.http",
          ["DefaultHttpHeaders", "CombinedHttpHeaders"]) and
    vulnerableArgumentIndex = 0
@@ -54,28 +56,30 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp

 private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation {
  InsecureDefaultHttpResponseClassInstantiation() {
-    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and
+    this.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and
    vulnerableArgumentIndex = 2
  }
 }

 private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation {
  InsecureDefaultHttpRequestClassInstantiation() {
-    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpRequest") and
+    this.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpRequest") and
    vulnerableArgumentIndex = 3
  }
 }

 private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation {
  InsecureDefaultFullHttpResponseClassInstantiation() {
-    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpResponse") and
+    this.getConstructedType()
+        .hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpResponse") and
    vulnerableArgumentIndex = [2, 3]
  }
 }

 private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation {
  InsecureDefaultFullHttpRequestClassInstantiation() {
-    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpRequest") and
+    this.getConstructedType()
+        .hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpRequest") and
    vulnerableArgumentIndex = [3, 4]
  }
 }
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
@@ -14,7 +14,7 @@ This can allow an attacker to perform an SSRF-like attack.</p>
 <p>In the context of a servlet container, if the user input includes blank lines
 and the servlet container does not escape the blank lines,
 then a remote user can cause the response to turn into two separate responses. 
-The remote user can then control one response, which is also HTTP response splitting.</p>
+The remote user can then control one or more responses, which is also HTTP response splitting.</p>
 </overview>

 <recommendation>
@@ -59,5 +59,8 @@ OWASP:
 <li>
 Wikipedia: <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">HTTP response splitting</a>.
 </li>
+<li>
+CAPEC: <a href="https://capec.mitre.org/data/definitions/105.html">CAPEC-105: HTTP Request Splitting</a>
+</li>
 </references>
 </qhelp>