Move headers injection query and concept from experimental to main

2026-04-26 17:25:19 +02:00 · 2024-03-27 10:59:11 +00:00
parent 3b44b131b9
commit 6021d9238c
4 changed files with 57 additions and 14 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -1025,6 +1025,45 @@ module Http {
      }
    }

+    /**
+     * A data-flow node that sets a header in an HTTP response.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `ResponseHeaderWrite::Range` instead.
+     */
+    class ResponseHeaderWrite extends DataFlow::Node instanceof ResponseHeaderWrite::Range {
+      /**
+       * Gets the argument containing the header name.
+       */
+      DataFlow::Node getNameArg() { result = super.getNameArg() }
+
+      /**
+       * Gets the argument containing the header value.
+       */
+      DataFlow::Node getValueArg() { result = super.getValueArg() }
+    }
+
+    /** Provides a class for modelling header writes on HTTP responses. */
+    module ResponseHeaderWrite {
+      /**
+       *A data-flow node that sets a header in an HTTP response.
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `ResponseHeaderWrite` instead.
+       */
+      abstract class Range extends DataFlow::Node {
+        /**
+         * Gets the argument containing the header name.
+         */
+        abstract DataFlow::Node getNameArg();
+
+        /**
+         * Gets the argument containing the header value.
+         */
+        abstract DataFlow::Node getValueArg();
+      }
+    }
+
    /**
     * A data-flow node that sets a cookie in an HTTP response.
     *
--- a/python/ql/src/experimental/semmle/python/security/injection/HTTPHeaders.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/HTTPHeaders.qll
@@ -1,17 +1,21 @@
+/**
+ * Provides a taint tracking configuration for reasoning about HTTP header injection.
+ */
+
 import python
-import experimental.semmle.python.Concepts
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.dataflow.new.RemoteFlowSources

 /**
- * A taint-tracking configuration for detecting HTTP Header injections.
+ * A taint-tracking configuration for detecting HTTP Header injection vulnerabilities.
 */
 private module HeaderInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  predicate isSink(DataFlow::Node sink) {
-    exists(HeaderDeclaration headerDeclaration |
+    exists(Http::Server::ResponseHeaderWrite headerDeclaration |
      sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
    )
  }
--- a/python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-113/HeaderInjection.ql
@@ -1,19 +1,19 @@
 /**
 * @name HTTP Header Injection
- * @description User input should not be used in HTTP headers, otherwise a malicious user
- *              may be able to inject a value that could manipulate the response.
+ * @description Writing user input directly to an HTTP header
+ *              makes code vulnerable to attack by header splitting.
 * @kind path-problem
 * @problem.severity error
+ * @security-severity 6.1
+ * @precision high
 * @id py/header-injection
 * @tags security
- *       experimental
 *       external/cwe/cwe-113
 *       external/cwe/cwe-079
 */

-// determine precision above
 import python
-import experimental.semmle.python.security.injection.HTTPHeaders
+import semmle.python.security.dataflow.HttpHeaderInjectionQuery
 import HeaderInjectionFlow::PathGraph

 from HeaderInjectionFlow::PathNode source, HeaderInjectionFlow::PathNode sink
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -217,14 +217,14 @@ class SqlEscape extends DataFlow::Node instanceof SqlEscape::Range {
 }

 /** Provides classes for modeling HTTP Header APIs. */
-module HeaderDeclaration {
+deprecated module HeaderDeclaration {
  /**
   * A data-flow node that collects functions setting HTTP Headers.
   *
   * Extend this class to model new APIs. If you want to refine existing API models,
   * extend `HeaderDeclaration` instead.
   */
-  abstract class Range extends DataFlow::Node {
+  abstract deprecated class Range extends DataFlow::Node {
    /**
     * Gets the argument containing the header name.
     */
@@ -243,7 +243,7 @@ module HeaderDeclaration {
 * Extend this class to refine existing API models. If you want to model new APIs,
 * extend `HeaderDeclaration::Range` instead.
 */
-class HeaderDeclaration extends DataFlow::Node instanceof HeaderDeclaration::Range {
+deprecated class HeaderDeclaration extends DataFlow::Node instanceof HeaderDeclaration::Range {
  /**
   * Gets the argument containing the header name.
   */