hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add exactly the string '/' as a sanitizing prefix.

Browse Source 
Usually this is ignored for suspicion that it could be taken for a protocol specifier, but on balance the context `(something) + "/" + tainted()` is more likely to be taken for a user-controlled location within a host the user does not control.
This commit is contained in:
Chris Smowton
2021-04-06 15:29:42 +01:00
parent bc43b6d760
commit 6933d06a46
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/test/query-tests/security/CWE-918/RequestForgery.java
View File

@@ -56,6 +56,10 @@ public class RequestForgery extends HttpServlet {
HttpRequest r8 = HttpRequest.newBuilder(new URI(safeUri8)).build();
client.send(r8, null);
String safeUri9 = String.format("http://%s", "myserver.com") + "/" + request.getParameter("uri9");
HttpRequest r9 = HttpRequest.newBuilder(new URI(safeUri9)).build();
client.send(r9, null);
// BAD: cases where a string that would sanitise is used, but occurs in the wrong
// place to sanitise user input:
String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/";
@@ -83,6 +87,10 @@ public class RequestForgery extends HttpServlet {
HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build();
client.send(unsafer8, null);
String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com");
HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build();
client.send(unsafer9, null);
} catch (Exception e) {
// TODO: handle exception
}