hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2192 from JLLeitschuh/feature/JLL/http_response_splitting_netty

Browse Source 
Add CWE-113 check for io.netty.handler.codec.http.DefaultHttpHeaders
This commit is contained in:
Anders Schack-Mulligen
2019-10-28 15:01:20 +01:00
committed by GitHub
parent 70b114b827 934eed97df
commit 0ffcf9ce64
4 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java Normal file
View File

@@ -0,0 +1,9 @@
import io.netty.handler.codec.http.DefaultHttpHeaders;
public class ResponseSplitting {
// BAD: Disables the internal response splitting verification
private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);
// GOOD: Verifies headers passed don't contain CRLF characters
private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
}

5
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp Normal file
View File

@@ -0,0 +1,5 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<include src="ResponseSplitting.qhelp" /></qhelp>

20
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql Normal file
View File

@@ -0,0 +1,20 @@
/**
* @name Disabled Netty HTTP header validation
* @description Disabling HTTP header validation makes code vulnerable to
* attack by header splitting if user input is written directly to
* an HTTP header.
* @kind problem
* @problem.severity error
* @precision high
* @id java/netty-http-response-splitting
* @tags security
* external/cwe/cwe-113
*/
import java
from ClassInstanceExpr new
where
new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
select new, "Response-splitting vulnerability due to verification being disabled."

7
java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
View File

@@ -26,6 +26,13 @@ characters, thus avoiding the potential problem.</p>
<sample src="ResponseSplitting.java" />
</example>
<example>
<p>The following example shows the use of the library 'netty' with HTTP response-splitting verification configurations.
The second way will verify the parameters before using them to build the HTTP response.</p>
<sample src="NettyResponseSplitting.java" />
</example>
<references>
<li>
InfosecWriters: <a href="http://www.infosecwriters.com/Papers/DCrab_HTTP_Response.pdf">HTTP response splitting</a>.