From 041caa740558cc08b974b7df5a80bd3aa425d24a Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 9 May 2023 12:17:08 -0400 Subject: [PATCH] Java: update header-splitting sink kind to response-splitting --- java/ql/lib/ext/javax.servlet.http.model.yml | 6 +++--- java/ql/lib/ext/javax.ws.rs.core.model.yml | 2 +- java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll | 2 +- java/ql/lib/semmle/code/java/security/ResponseSplitting.qll | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/java/ql/lib/ext/javax.servlet.http.model.yml b/java/ql/lib/ext/javax.servlet.http.model.yml index e4c0a2b2332..6485ea22a2e 100644 --- a/java/ql/lib/ext/javax.servlet.http.model.yml +++ b/java/ql/lib/ext/javax.servlet.http.model.yml @@ -22,10 +22,10 @@ extensions: pack: codeql/java-all extensible: sinkModel data: - - ["javax.servlet.http", "HttpServletResponse", False, "addCookie", "", "", "Argument[0]", "header-splitting", "manual"] - - ["javax.servlet.http", "HttpServletResponse", False, "addHeader", "", "", "Argument[0..1]", "header-splitting", "manual"] + - ["javax.servlet.http", "HttpServletResponse", False, "addCookie", "", "", "Argument[0]", "response-splitting", "manual"] + - ["javax.servlet.http", "HttpServletResponse", False, "addHeader", "", "", "Argument[0..1]", "response-splitting", "manual"] - ["javax.servlet.http", "HttpServletResponse", False, "sendError", "(int,String)", "", "Argument[1]", "information-leak", "manual"] - - ["javax.servlet.http", "HttpServletResponse", False, "setHeader", "", "", "Argument[0..1]", "header-splitting", "manual"] + - ["javax.servlet.http", "HttpServletResponse", False, "setHeader", "", "", "Argument[0..1]", "response-splitting", "manual"] - addsTo: pack: codeql/java-all extensible: summaryModel diff --git a/java/ql/lib/ext/javax.ws.rs.core.model.yml b/java/ql/lib/ext/javax.ws.rs.core.model.yml index cf94b255176..dfdf2ee6fd0 100644 --- a/java/ql/lib/ext/javax.ws.rs.core.model.yml +++ b/java/ql/lib/ext/javax.ws.rs.core.model.yml @@ -5,7 +5,7 @@ extensions: data: - ["javax.ws.rs.core", "Response", True, "seeOther", "", "", "Argument[0]", "url-redirection", "manual"] - ["javax.ws.rs.core", "Response", True, "temporaryRedirect", "", "", "Argument[0]", "url-redirection", "manual"] - - ["javax.ws.rs.core", "ResponseBuilder", False, "header", "", "", "Argument[1]", "header-splitting", "manual"] + - ["javax.ws.rs.core", "ResponseBuilder", False, "header", "", "", "Argument[1]", "response-splitting", "manual"] - addsTo: pack: codeql/java-all extensible: summaryModel diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 78c98c07b04..e264be4a83b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -277,7 +277,7 @@ module ModelValidation { "open-url", "jndi-injection", "ldap-injection", "sql-injection", "jdbc-url", "log-injection", "mvel-injection", "xpath-injection", "groovy-injection", "xss", "ognl-injection", "intent-redirection", "pending-intents", "url-redirection", - "create-file", "read-file", "write-file", "hostname-verification", "header-splitting", + "create-file", "read-file", "write-file", "hostname-verification", "response-splitting", "information-leak", "xslt-injection", "jexl-injection", "bean-validation", "template-injection", "fragment-injection", "command-injection" ] and diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplitting.qll b/java/ql/lib/semmle/code/java/security/ResponseSplitting.qll index 916b6df4372..2e2033443a5 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplitting.qll @@ -11,7 +11,7 @@ private import semmle.code.java.dataflow.ExternalFlow abstract class HeaderSplittingSink extends DataFlow::Node { } private class DefaultHeaderSplittingSink extends HeaderSplittingSink { - DefaultHeaderSplittingSink() { sinkNode(this, "header-splitting") } + DefaultHeaderSplittingSink() { sinkNode(this, "response-splitting") } } /** A source that introduces data considered safe to use by a header splitting source. */