Java: update header-splitting sink kind to response-splitting

2025-12-21 11:16:30 +01:00 · 2023-05-09 12:17:08 -04:00
parent 51df84ed1c
commit 041caa7405
4 changed files with 6 additions and 6 deletions
--- a/java/ql/lib/ext/javax.servlet.http.model.yml
+++ b/java/ql/lib/ext/javax.servlet.http.model.yml
@@ -22,10 +22,10 @@ extensions:
      pack: codeql/java-all
      extensible: sinkModel
    data:
-      - ["javax.servlet.http", "HttpServletResponse", False, "addCookie", "", "", "Argument[0]", "header-splitting", "manual"]
-      - ["javax.servlet.http", "HttpServletResponse", False, "addHeader", "", "", "Argument[0..1]", "header-splitting", "manual"]
+      - ["javax.servlet.http", "HttpServletResponse", False, "addCookie", "", "", "Argument[0]", "response-splitting", "manual"]
+      - ["javax.servlet.http", "HttpServletResponse", False, "addHeader", "", "", "Argument[0..1]", "response-splitting", "manual"]
      - ["javax.servlet.http", "HttpServletResponse", False, "sendError", "(int,String)", "", "Argument[1]", "information-leak", "manual"]
-      - ["javax.servlet.http", "HttpServletResponse", False, "setHeader", "", "", "Argument[0..1]", "header-splitting", "manual"]
+      - ["javax.servlet.http", "HttpServletResponse", False, "setHeader", "", "", "Argument[0..1]", "response-splitting", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/ext/javax.ws.rs.core.model.yml
+++ b/java/ql/lib/ext/javax.ws.rs.core.model.yml
@@ -5,7 +5,7 @@ extensions:
    data:
      - ["javax.ws.rs.core", "Response", True, "seeOther", "", "", "Argument[0]", "url-redirection", "manual"]
      - ["javax.ws.rs.core", "Response", True, "temporaryRedirect", "", "", "Argument[0]", "url-redirection", "manual"]
-      - ["javax.ws.rs.core", "ResponseBuilder", False, "header", "", "", "Argument[1]", "header-splitting", "manual"]
+      - ["javax.ws.rs.core", "ResponseBuilder", False, "header", "", "", "Argument[1]", "response-splitting", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -277,7 +277,7 @@ module ModelValidation {
          "open-url", "jndi-injection", "ldap-injection", "sql-injection", "jdbc-url",
          "log-injection", "mvel-injection", "xpath-injection", "groovy-injection", "xss",
          "ognl-injection", "intent-redirection", "pending-intents", "url-redirection",
-          "create-file", "read-file", "write-file", "hostname-verification", "header-splitting",
+          "create-file", "read-file", "write-file", "hostname-verification", "response-splitting",
          "information-leak", "xslt-injection", "jexl-injection", "bean-validation",
          "template-injection", "fragment-injection", "command-injection"
        ] and
--- a/java/ql/lib/semmle/code/java/security/ResponseSplitting.qll
+++ b/java/ql/lib/semmle/code/java/security/ResponseSplitting.qll
@@ -11,7 +11,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 abstract class HeaderSplittingSink extends DataFlow::Node { }

 private class DefaultHeaderSplittingSink extends HeaderSplittingSink {
-  DefaultHeaderSplittingSink() { sinkNode(this, "header-splitting") }
+  DefaultHeaderSplittingSink() { sinkNode(this, "response-splitting") }
 }

 /** A source that introduces data considered safe to use by a header splitting source. */