hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix java/netty-http-request-or-response-splitting overlay compilation regression

Browse Source
This commit is contained in:
Kasper Svendsen
2025-07-01 09:16:07 +02:00
parent 5e8b12a08b
commit 425448a10a
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
View File

@@ -16,6 +16,7 @@
import java
import semmle.code.java.dataflow.FlowSources
overlay[local?]
abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
int vulnerableArgumentIndex;
@@ -27,6 +28,7 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
abstract string splittingType();
}
overlay[local?]
abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
{
override string splittingType() { result = "Request splitting or response splitting" }
@@ -35,6 +37,7 @@ abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation ext
/**
* Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection.
*/
overlay[local?]
abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
{
override string splittingType() { result = "Request splitting" }
@@ -43,11 +46,13 @@ abstract private class RequestSplittingInsecureNettyObjectCreation extends Insec
/**
* Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning.
*/
overlay[local?]
abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
{
override string splittingType() { result = "Response splitting" }
}
overlay[local?]
private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation
{
InsecureDefaultHttpHeadersClassInstantiation() {
@@ -58,6 +63,7 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp
}
}
overlay[local?]
private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation
{
InsecureDefaultHttpResponseClassInstantiation() {
@@ -66,6 +72,7 @@ private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSpli
}
}
overlay[local?]
private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation
{
InsecureDefaultHttpRequestClassInstantiation() {
@@ -74,6 +81,7 @@ private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplitt
}
}
overlay[local?]
private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation
{
InsecureDefaultFullHttpResponseClassInstantiation() {
@@ -83,6 +91,7 @@ private class InsecureDefaultFullHttpResponseClassInstantiation extends Response
}
}
overlay[local?]
private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation
{
InsecureDefaultFullHttpRequestClassInstantiation() {