hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup Netty Response Splitting Query

Browse Source
This commit is contained in:
Jonathan Leitschuh
2022-02-07 10:49:22 -05:00
parent 8ffe878722
commit 03fdee3767
2 changed files with 17 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
View File

@@ -10,6 +10,7 @@
* @id java/netty-http-request-or-response-splitting * @id java/netty-http-request-or-response-splitting
* @tags security * @tags security
* external/cwe/cwe-113 * external/cwe/cwe-113
* external/capec/capec-105
*/ */
import java import java
@@ -19,33 +20,34 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
int vulnerableArgumentIndex; int vulnerableArgumentIndex;
InsecureNettyObjectCreation() { InsecureNettyObjectCreation() {
DataFlow::localExprFlow(any(CompileTimeConstantExpr ctce | ctce.getBooleanValue() = false), this.getArgument(vulnerableArgumentIndex)) DataFlow::localExprFlow(any(CompileTimeConstantExpr ctce | ctce.getBooleanValue() = false),
this.getArgument(vulnerableArgumentIndex))
} }
abstract string splittingType(); abstract string splittingType();
} }
abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation { abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
override string splittingType() { result = "Request-splitting or response-splitting" } override string splittingType() { result = "Request splitting or response splitting" }
} }
/** /**
* Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection. * Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection.
*/ */
abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation { abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
override string splittingType() { result = "Request-splitting" } override string splittingType() { result = "Request splitting" }
} }
/** /**
* Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning. * Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning.
*/ */
abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation { abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
override string splittingType() { result = "Response-splitting" } override string splittingType() { result = "Response splitting" }
} }
private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation { private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation {
InsecureDefaultHttpHeadersClassInstantiation() { InsecureDefaultHttpHeadersClassInstantiation() {
getConstructedType() this.getConstructedType()
.hasQualifiedName("io.netty.handler.codec.http", .hasQualifiedName("io.netty.handler.codec.http",
["DefaultHttpHeaders", "CombinedHttpHeaders"]) and ["DefaultHttpHeaders", "CombinedHttpHeaders"]) and
vulnerableArgumentIndex = 0 vulnerableArgumentIndex = 0
@@ -54,28 +56,30 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp
private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation { private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation {
InsecureDefaultHttpResponseClassInstantiation() { InsecureDefaultHttpResponseClassInstantiation() {
getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and this.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and
vulnerableArgumentIndex = 2 vulnerableArgumentIndex = 2
} }
} }
private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation { private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation {
InsecureDefaultHttpRequestClassInstantiation() { InsecureDefaultHttpRequestClassInstantiation() {
getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpRequest") and this.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpRequest") and
vulnerableArgumentIndex = 3 vulnerableArgumentIndex = 3
} }
} }
private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation { private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation {
InsecureDefaultFullHttpResponseClassInstantiation() { InsecureDefaultFullHttpResponseClassInstantiation() {
getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpResponse") and this.getConstructedType()
.hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpResponse") and
vulnerableArgumentIndex = [2, 3] vulnerableArgumentIndex = [2, 3]
} }
} }
private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation { private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation {
InsecureDefaultFullHttpRequestClassInstantiation() { InsecureDefaultFullHttpRequestClassInstantiation() {
getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpRequest") and this.getConstructedType()
.hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpRequest") and
vulnerableArgumentIndex = [3, 4] vulnerableArgumentIndex = [3, 4]
} }
} }

5
java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
View File

@@ -14,7 +14,7 @@ This can allow an attacker to perform an SSRF-like attack.</p>
<p>In the context of a servlet container, if the user input includes blank lines <p>In the context of a servlet container, if the user input includes blank lines
and the servlet container does not escape the blank lines, and the servlet container does not escape the blank lines,
then a remote user can cause the response to turn into two separate responses. then a remote user can cause the response to turn into two separate responses.
The remote user can then control one response, which is also HTTP response splitting.</p> The remote user can then control one or more responses, which is also HTTP response splitting.</p>
</overview> </overview>
<recommendation> <recommendation>
@@ -59,5 +59,8 @@ OWASP:
<li> <li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">HTTP response splitting</a>. Wikipedia: <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">HTTP response splitting</a>.
</li> </li>
<li>
CAPEC: <a href="https://capec.mitre.org/data/definitions/105.html">CAPEC-105: HTTP Request Splitting</a>
</li>
</references> </references>
</qhelp> </qhelp>