From 782573ed43bec819cbb9fced03015e7193ed6960 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 14:58:53 +0200 Subject: [PATCH] Add and format qldocs according to the style guide. --- .../code/java/security/ResponseSplitting.qll | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index 3482f619414..4dcfc435819 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -1,21 +1,17 @@ +/** Provides classes to reason about header splitting attacks. */ + import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.JaxWS -/** - * Header-splitting sinks. Expressions that end up in an HTTP header. - */ +/** Header-splitting sinks. Expressions that end up in an HTTP header. */ abstract class HeaderSplittingSink extends DataFlow::Node { } -/** - * Sources that cannot be used to perform a header splitting attack. - */ +/** Sources that cannot be used to perform a header splitting attack. */ abstract class SafeHeaderSplittingSource extends DataFlow::Node { } -/** - * Header-splitting sinks. Expressions that end up in an HTTP header. - */ +/** Servlet and JaxWS sinks susceptible to header splitting. */ private class ServletHeaderSplittingSink extends HeaderSplittingSink { ServletHeaderSplittingSink() { exists(ResponseAddCookieMethod m, MethodAccess ma | @@ -41,6 +37,7 @@ private class ServletHeaderSplittingSink extends HeaderSplittingSink { } } +/** Servlet sources considered safe regarding header splitting */ private class ServletSafeHeaderSplittingSource extends SafeHeaderSplittingSource { ServletSafeHeaderSplittingSource() { this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or