diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql index d32e7544f3e..6132406bf3a 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql @@ -27,8 +27,15 @@ class ResponseSplittingConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } override predicate isSanitizer(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or + node.getType() instanceof PrimitiveType + or node.getType() instanceof BoxedType + or + exists(MethodAccess ma | + ma.getMethod().hasQualifiedName("java.lang", "String", "replaceAll") and + ma.getArgument(0).(StringLiteral).getValue().matches("%[^%") and + node.asExpr() = ma + ) } } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/taintedString.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/taintedString.expected index 62c4fdc3c46..67c6629093a 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/taintedString.expected +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/taintedString.expected @@ -64,5 +64,7 @@ | Test.java:213:21:213:24 | main | 5 | Test.java:218:14:218:17 | args | | Validation.java:6:21:6:35 | checkIdentifier | 1 | Validation.java:7:23:7:24 | id | | Validation.java:6:21:6:35 | checkIdentifier | 2 | Validation.java:8:13:8:14 | id | +| Validation.java:6:21:6:35 | checkIdentifier | 2 | Validation.java:8:13:8:24 | charAt(...) | +| Validation.java:6:21:6:35 | checkIdentifier | 3 | Validation.java:9:28:9:28 | c | | Validation.java:6:21:6:35 | checkIdentifier | 4 | Validation.java:10:32:10:58 | ... + ... | | Validation.java:6:21:6:35 | checkIdentifier | 4 | Validation.java:10:57:10:58 | id | diff --git a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected index 0b64242ffa0..25824c79394 100644 --- a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected +++ b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected @@ -1,14 +1,25 @@ edges +| UrlRedirect.java:32:37:32:66 | getParameter(...) : String | UrlRedirect.java:32:25:32:67 | weakCleanup(...) | +| UrlRedirect.java:32:37:32:66 | getParameter(...) : String | UrlRedirect.java:45:28:45:39 | input : String | | UrlRedirect.java:36:58:36:89 | getParameter(...) : String | UrlRedirect.java:36:25:36:89 | ... + ... | +| UrlRedirect.java:45:28:45:39 | input : String | UrlRedirect.java:46:10:46:14 | input : String | +| UrlRedirect.java:46:10:46:14 | input : String | UrlRedirect.java:46:10:46:40 | replaceAll(...) : String | nodes | UrlRedirect.java:23:25:23:54 | getParameter(...) | semmle.label | getParameter(...) | +| UrlRedirect.java:32:25:32:67 | weakCleanup(...) | semmle.label | weakCleanup(...) | +| UrlRedirect.java:32:37:32:66 | getParameter(...) : String | semmle.label | getParameter(...) : String | | UrlRedirect.java:36:25:36:89 | ... + ... | semmle.label | ... + ... | | UrlRedirect.java:36:58:36:89 | getParameter(...) : String | semmle.label | getParameter(...) : String | | UrlRedirect.java:39:34:39:63 | getParameter(...) | semmle.label | getParameter(...) | | UrlRedirect.java:42:43:42:72 | getParameter(...) | semmle.label | getParameter(...) | +| UrlRedirect.java:45:28:45:39 | input : String | semmle.label | input : String | +| UrlRedirect.java:46:10:46:14 | input : String | semmle.label | input : String | +| UrlRedirect.java:46:10:46:40 | replaceAll(...) : String | semmle.label | replaceAll(...) : String | subpaths +| UrlRedirect.java:32:37:32:66 | getParameter(...) : String | UrlRedirect.java:45:28:45:39 | input : String | UrlRedirect.java:46:10:46:40 | replaceAll(...) : String | UrlRedirect.java:32:25:32:67 | weakCleanup(...) | #select | UrlRedirect.java:23:25:23:54 | getParameter(...) | UrlRedirect.java:23:25:23:54 | getParameter(...) | UrlRedirect.java:23:25:23:54 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:23:25:23:54 | getParameter(...) | user-provided value | +| UrlRedirect.java:32:25:32:67 | weakCleanup(...) | UrlRedirect.java:32:37:32:66 | getParameter(...) : String | UrlRedirect.java:32:25:32:67 | weakCleanup(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:32:37:32:66 | getParameter(...) | user-provided value | | UrlRedirect.java:36:25:36:89 | ... + ... | UrlRedirect.java:36:58:36:89 | getParameter(...) : String | UrlRedirect.java:36:25:36:89 | ... + ... | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:36:58:36:89 | getParameter(...) | user-provided value | | UrlRedirect.java:39:34:39:63 | getParameter(...) | UrlRedirect.java:39:34:39:63 | getParameter(...) | UrlRedirect.java:39:34:39:63 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:39:34:39:63 | getParameter(...) | user-provided value | | UrlRedirect.java:42:43:42:72 | getParameter(...) | UrlRedirect.java:42:43:42:72 | getParameter(...) | UrlRedirect.java:42:43:42:72 | getParameter(...) | Potentially untrusted URL redirection due to $@. | UrlRedirect.java:42:43:42:72 | getParameter(...) | user-provided value | diff --git a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.java b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.java index b8688c41fc0..318fdec9182 100644 --- a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.java +++ b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.java @@ -27,7 +27,7 @@ public class UrlRedirect extends HttpServlet { response.sendRedirect(VALID_REDIRECT); } - // FALSE NEGATIVE: the user attempts to clean the string, but this will fail + // BAD: the user attempts to clean the string, but this will fail // if the argument is "hthttp://tp://malicious.com" response.sendRedirect(weakCleanup(request.getParameter("target")));