Apply suggestions from code review for netty DefaultHttpHeaders

Co-Authored-By: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2025-12-24 04:36:35 +01:00 · 2019-10-25 12:30:16 -04:00
parent dcbd6e0a11
commit 934eed97df
2 changed files with 14 additions and 1 deletions
--- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
@@ -4,6 +4,6 @@ public class ResponseSplitting {
    // BAD: Disables the internal response splitting verification
    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);

-    // GOOD: Verifies headers passed don't contain CLRF characters
+    // GOOD: Verifies headers passed don't contain CRLF characters
    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
 }
--- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -1,3 +1,16 @@
+/**
+ * @name Disabled Netty HTTP header validation
+ * @description Disabling HTTP header validation makes code vulnerable to
+ *              attack by header splitting if user input is written directly to
+ *              an HTTP header.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/netty-http-response-splitting
+ * @tags security
+ *       external/cwe/cwe-113
+ */
+
 import java

 from ClassInstanceExpr new