hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Convert header splitting sinks to CSV format

Browse Source
This commit is contained in:
Tamas Vajk
2021-03-31 10:16:14 +02:00
parent f329c3fdab
commit 0b7a6671dd
2 changed files with 17 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -76,6 +76,7 @@ private module Frameworks {
private import semmle.code.java.frameworks.ApacheHttp
private import semmle.code.java.frameworks.apache.Lang
private import semmle.code.java.frameworks.guava.Guava
private import semmle.code.java.security.ResponseSplitting
}
private predicate sourceModelCsv(string row) {

43
java/ql/src/semmle/code/java/security/ResponseSplitting.qll
View File

@@ -5,41 +5,30 @@ import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.frameworks.Servlets
import semmle.code.java.frameworks.JaxWS
private import semmle.code.java.dataflow.ExternalFlow
/** A sink that is vulnerable to an HTTP header splitting attack. */
abstract class HeaderSplittingSink extends DataFlow::Node { }
class HeaderSplittingSink extends DataFlow::Node {
HeaderSplittingSink() { sinkNode(this, "header-splitting") }
}
private class HeaderSplittingSinkModel extends SinkModelCsv {
override predicate row(string row) {
row =
[
"javax.servlet.http;HttpServletResponse;false;addCookie;;;Argument[0];header-splitting",
"javax.servlet.http;HttpServletResponse;false;addHeader;;;Argument;header-splitting",
"javax.servlet.http;HttpServletResponse;false;setHeader;;;Argument;header-splitting",
"javax.ws.rs.core;ResponseBuilder;false;header;;;Argument[1];header-splitting"
]
}
}
/** A source that introduces data considered safe to use by a header splitting source. */
abstract class SafeHeaderSplittingSource extends DataFlow::Node {
SafeHeaderSplittingSource() { this instanceof RemoteFlowSource }
}
/** A sink that identifies a Java Servlet or JaxWs method that is vulnerable to an HTTP header splitting attack. */
private class ServletHeaderSplittingSink extends HeaderSplittingSink {
ServletHeaderSplittingSink() {
exists(ResponseAddCookieMethod m, MethodAccess ma |
ma.getMethod() = m and
this.asExpr() = ma.getArgument(0)
)
or
exists(ResponseAddHeaderMethod m, MethodAccess ma |
ma.getMethod() = m and
this.asExpr() = ma.getAnArgument()
)
or
exists(ResponseSetHeaderMethod m, MethodAccess ma |
ma.getMethod() = m and
this.asExpr() = ma.getAnArgument()
)
or
exists(JaxRsResponseBuilder builder, Method m |
m = builder.getAMethod() and m.getName() = "header"
|
this.asExpr() = m.getAReference().getArgument(1)
)
}
}
/** A default source that introduces data considered safe to use by a header splitting source. */
private class DefaultSafeHeaderSplittingSource extends SafeHeaderSplittingSource {
DefaultSafeHeaderSplittingSource() {