Extract HeaderSplittingSink and WhitelistedSource

- Extract `HeaderSplittingSink` and `WhitelistedSource` into an importable library. - Rename the existing `HeaderSplittingSink` implementation to `ServletHeaderSplittingSink`.
2026-04-29 02:35:15 +02:00 · 2020-07-08 17:17:24 +02:00
parent c166fee198
commit 5f560e0465
4 changed files with 19 additions and 7 deletions
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -11,7 +11,7 @@
 */

 import java
-import ResponseSplitting
+import ServletResponseSplitting
 import DataFlow::PathGraph

 class ResponseSplittingConfig extends TaintTracking::Configuration {
@@ -19,7 +19,7 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource and
-    not source instanceof WhitelistedSource
+    not source instanceof TrustedSource
  }

  override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -12,7 +12,7 @@

 import java
 import semmle.code.java.dataflow.FlowSources
-import ResponseSplitting
+import ServletResponseSplitting
 import DataFlow::PathGraph

 class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
--- a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll
+++ b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll
@@ -1,12 +1,13 @@
 import java
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.ResponseSplitting

 /**
 * Header-splitting sinks. Expressions that end up in an HTTP header.
 */
-class HeaderSplittingSink extends DataFlow::ExprNode {
-  HeaderSplittingSink() {
+class ServletHeaderSplittingSink extends HeaderSplittingSink {
+  ServletHeaderSplittingSink() {
    exists(ResponseAddCookieMethod m, MethodAccess ma |
      ma.getMethod() = m and
      this.getExpr() = ma.getArgument(0)
@@ -30,8 +31,8 @@ class HeaderSplittingSink extends DataFlow::ExprNode {
  }
 }

-class WhitelistedSource extends DataFlow::ExprNode {
-  WhitelistedSource() {
+class TrustedServletSource extends TrustedSource {
+  TrustedServletSource() {
    this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
    this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
  }
--- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
+++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -0,0 +1,11 @@
+import semmle.code.java.dataflow.DataFlow
+
+/**
+ * Header-splitting sinks. Expressions that end up in an HTTP header.
+ */
+abstract class HeaderSplittingSink extends DataFlow::ExprNode { }
+
+/**
+ * Sources that cannot be used to perform a header splitting attack.
+ */
+abstract class TrustedSource extends DataFlow::ExprNode { }