From 5f560e04659caa3c62612302f5a5886f75d2bf02 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Wed, 8 Jul 2020 17:17:24 +0200 Subject: [PATCH 01/10] Extract `HeaderSplittingSink` and `WhitelistedSource` - Extract `HeaderSplittingSink` and `WhitelistedSource` into an importable library. - Rename the existing `HeaderSplittingSink` implementation to `ServletHeaderSplittingSink`. --- java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql | 4 ++-- .../Security/CWE/CWE-113/ResponseSplittingLocal.ql | 2 +- ...onseSplitting.qll => ServletResponseSplitting.qll} | 9 +++++---- .../semmle/code/java/security/ResponseSplitting.qll | 11 +++++++++++ 4 files changed, 19 insertions(+), 7 deletions(-) rename java/ql/src/Security/CWE/CWE-113/{ResponseSplitting.qll => ServletResponseSplitting.qll} (80%) create mode 100644 java/ql/src/semmle/code/java/security/ResponseSplitting.qll diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql index c160895f472..9b26aff05be 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql @@ -11,7 +11,7 @@ */ import java -import ResponseSplitting +import ServletResponseSplitting import DataFlow::PathGraph class ResponseSplittingConfig extends TaintTracking::Configuration { @@ -19,7 +19,7 @@ class ResponseSplittingConfig extends TaintTracking::Configuration { override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - not source instanceof WhitelistedSource + not source instanceof TrustedSource } override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql index 3de3a2229ca..dfeeddbd3f4 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql @@ -12,7 +12,7 @@ import java import semmle.code.java.dataflow.FlowSources -import ResponseSplitting +import ServletResponseSplitting import DataFlow::PathGraph class ResponseSplittingLocalConfig extends TaintTracking::Configuration { diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll similarity index 80% rename from java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll rename to java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll index f17ac91fa97..39c8ff6266e 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll +++ b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll @@ -1,12 +1,13 @@ import java import semmle.code.java.frameworks.Servlets import semmle.code.java.dataflow.FlowSources +import semmle.code.java.security.ResponseSplitting /** * Header-splitting sinks. Expressions that end up in an HTTP header. */ -class HeaderSplittingSink extends DataFlow::ExprNode { - HeaderSplittingSink() { +class ServletHeaderSplittingSink extends HeaderSplittingSink { + ServletHeaderSplittingSink() { exists(ResponseAddCookieMethod m, MethodAccess ma | ma.getMethod() = m and this.getExpr() = ma.getArgument(0) @@ -30,8 +31,8 @@ class HeaderSplittingSink extends DataFlow::ExprNode { } } -class WhitelistedSource extends DataFlow::ExprNode { - WhitelistedSource() { +class TrustedServletSource extends TrustedSource { + TrustedServletSource() { this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod } diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll new file mode 100644 index 00000000000..583833df01e --- /dev/null +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -0,0 +1,11 @@ +import semmle.code.java.dataflow.DataFlow + +/** + * Header-splitting sinks. Expressions that end up in an HTTP header. + */ +abstract class HeaderSplittingSink extends DataFlow::ExprNode { } + +/** + * Sources that cannot be used to perform a header splitting attack. + */ +abstract class TrustedSource extends DataFlow::ExprNode { } From fed506a12ff2d3f02933880bb5ae26b758da9d51 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 14:36:23 +0200 Subject: [PATCH 02/10] Rename TrustedSource to SafeHeaderSplittingSource --- java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql | 2 +- java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll | 4 ++-- java/ql/src/semmle/code/java/security/ResponseSplitting.qll | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql index 9b26aff05be..2eab495657e 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql @@ -19,7 +19,7 @@ class ResponseSplittingConfig extends TaintTracking::Configuration { override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and - not source instanceof TrustedSource + not source instanceof SafeHeaderSplittingSource } override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } diff --git a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll index 39c8ff6266e..1589a3f3009 100644 --- a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll +++ b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll @@ -31,8 +31,8 @@ class ServletHeaderSplittingSink extends HeaderSplittingSink { } } -class TrustedServletSource extends TrustedSource { - TrustedServletSource() { +class ServletSafeHeaderSplittingSource extends SafeHeaderSplittingSource { + ServletSafeHeaderSplittingSource() { this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod } diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index 583833df01e..59224b0ec69 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -8,4 +8,4 @@ abstract class HeaderSplittingSink extends DataFlow::ExprNode { } /** * Sources that cannot be used to perform a header splitting attack. */ -abstract class TrustedSource extends DataFlow::ExprNode { } +abstract class SafeHeaderSplittingSource extends DataFlow::ExprNode { } From b66f391c31b9b0a0f1b35e962508a718c2e82903 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 14:39:08 +0200 Subject: [PATCH 03/10] Extend source and sink from DataFlow::Node instead of DataFlow::exprNode --- .../src/Security/CWE/CWE-113/ServletResponseSplitting.qll | 8 ++++---- .../src/semmle/code/java/security/ResponseSplitting.qll | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll index 1589a3f3009..a2a76ccce3f 100644 --- a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll +++ b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll @@ -10,23 +10,23 @@ class ServletHeaderSplittingSink extends HeaderSplittingSink { ServletHeaderSplittingSink() { exists(ResponseAddCookieMethod m, MethodAccess ma | ma.getMethod() = m and - this.getExpr() = ma.getArgument(0) + this.asExpr() = ma.getArgument(0) ) or exists(ResponseAddHeaderMethod m, MethodAccess ma | ma.getMethod() = m and - this.getExpr() = ma.getAnArgument() + this.asExpr() = ma.getAnArgument() ) or exists(ResponseSetHeaderMethod m, MethodAccess ma | ma.getMethod() = m and - this.getExpr() = ma.getAnArgument() + this.asExpr() = ma.getAnArgument() ) or exists(JaxRsResponseBuilder builder, Method m | m = builder.getAMethod() and m.getName() = "header" | - this.getExpr() = m.getAReference().getArgument(1) + this.asExpr() = m.getAReference().getArgument(1) ) } } diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index 59224b0ec69..f71fce570a1 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -3,9 +3,9 @@ import semmle.code.java.dataflow.DataFlow /** * Header-splitting sinks. Expressions that end up in an HTTP header. */ -abstract class HeaderSplittingSink extends DataFlow::ExprNode { } +abstract class HeaderSplittingSink extends DataFlow::Node { } /** * Sources that cannot be used to perform a header splitting attack. */ -abstract class SafeHeaderSplittingSource extends DataFlow::ExprNode { } +abstract class SafeHeaderSplittingSource extends DataFlow::Node { } From 7435dac3d20ef0a69696621825a61fc9939874b9 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 14:53:59 +0200 Subject: [PATCH 04/10] Move source and sink into importable library --- .../Security/CWE/CWE-113/ResponseSplitting.ql | 3 +- .../CWE/CWE-113/ResponseSplittingLocal.ql | 2 +- .../CWE/CWE-113/ServletResponseSplitting.qll | 39 ------------------- .../code/java/security/ResponseSplitting.qll | 37 ++++++++++++++++++ 4 files changed, 40 insertions(+), 41 deletions(-) delete mode 100644 java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql index 2eab495657e..add36e91963 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql @@ -11,7 +11,8 @@ */ import java -import ServletResponseSplitting +import semmle.code.java.dataflow.FlowSources +import semmle.code.java.security.ResponseSplitting import DataFlow::PathGraph class ResponseSplittingConfig extends TaintTracking::Configuration { diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql index dfeeddbd3f4..7a748276aba 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql @@ -12,7 +12,7 @@ import java import semmle.code.java.dataflow.FlowSources -import ServletResponseSplitting +import semmle.code.java.security.ResponseSplitting import DataFlow::PathGraph class ResponseSplittingLocalConfig extends TaintTracking::Configuration { diff --git a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll deleted file mode 100644 index a2a76ccce3f..00000000000 --- a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll +++ /dev/null @@ -1,39 +0,0 @@ -import java -import semmle.code.java.frameworks.Servlets -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.ResponseSplitting - -/** - * Header-splitting sinks. Expressions that end up in an HTTP header. - */ -class ServletHeaderSplittingSink extends HeaderSplittingSink { - ServletHeaderSplittingSink() { - exists(ResponseAddCookieMethod m, MethodAccess ma | - ma.getMethod() = m and - this.asExpr() = ma.getArgument(0) - ) - or - exists(ResponseAddHeaderMethod m, MethodAccess ma | - ma.getMethod() = m and - this.asExpr() = ma.getAnArgument() - ) - or - exists(ResponseSetHeaderMethod m, MethodAccess ma | - ma.getMethod() = m and - this.asExpr() = ma.getAnArgument() - ) - or - exists(JaxRsResponseBuilder builder, Method m | - m = builder.getAMethod() and m.getName() = "header" - | - this.asExpr() = m.getAReference().getArgument(1) - ) - } -} - -class ServletSafeHeaderSplittingSource extends SafeHeaderSplittingSource { - ServletSafeHeaderSplittingSource() { - this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or - this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod - } -} diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index f71fce570a1..8366a6ba5b8 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -1,4 +1,6 @@ import semmle.code.java.dataflow.DataFlow +import semmle.code.java.frameworks.Servlets +import semmle.code.java.frameworks.JaxWS /** * Header-splitting sinks. Expressions that end up in an HTTP header. @@ -9,3 +11,38 @@ abstract class HeaderSplittingSink extends DataFlow::Node { } * Sources that cannot be used to perform a header splitting attack. */ abstract class SafeHeaderSplittingSource extends DataFlow::Node { } + +/** + * Header-splitting sinks. Expressions that end up in an HTTP header. + */ +private class ServletHeaderSplittingSink extends HeaderSplittingSink { + ServletHeaderSplittingSink() { + exists(ResponseAddCookieMethod m, MethodAccess ma | + ma.getMethod() = m and + this.asExpr() = ma.getArgument(0) + ) + or + exists(ResponseAddHeaderMethod m, MethodAccess ma | + ma.getMethod() = m and + this.asExpr() = ma.getAnArgument() + ) + or + exists(ResponseSetHeaderMethod m, MethodAccess ma | + ma.getMethod() = m and + this.asExpr() = ma.getAnArgument() + ) + or + exists(JaxRsResponseBuilder builder, Method m | + m = builder.getAMethod() and m.getName() = "header" + | + this.asExpr() = m.getAReference().getArgument(1) + ) + } +} + +private class ServletSafeHeaderSplittingSource extends SafeHeaderSplittingSource { + ServletSafeHeaderSplittingSource() { + this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or + this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod + } +} From 4ad6357cd7f01bd8220a6331cff449f7aab30f8e Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 14:54:46 +0200 Subject: [PATCH 05/10] Add missing Java import --- java/ql/src/semmle/code/java/security/ResponseSplitting.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index 8366a6ba5b8..3482f619414 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -1,3 +1,4 @@ +import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.JaxWS From 782573ed43bec819cbb9fced03015e7193ed6960 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 14:58:53 +0200 Subject: [PATCH 06/10] Add and format qldocs according to the style guide. --- .../code/java/security/ResponseSplitting.qll | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index 3482f619414..4dcfc435819 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -1,21 +1,17 @@ +/** Provides classes to reason about header splitting attacks. */ + import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.JaxWS -/** - * Header-splitting sinks. Expressions that end up in an HTTP header. - */ +/** Header-splitting sinks. Expressions that end up in an HTTP header. */ abstract class HeaderSplittingSink extends DataFlow::Node { } -/** - * Sources that cannot be used to perform a header splitting attack. - */ +/** Sources that cannot be used to perform a header splitting attack. */ abstract class SafeHeaderSplittingSource extends DataFlow::Node { } -/** - * Header-splitting sinks. Expressions that end up in an HTTP header. - */ +/** Servlet and JaxWS sinks susceptible to header splitting. */ private class ServletHeaderSplittingSink extends HeaderSplittingSink { ServletHeaderSplittingSink() { exists(ResponseAddCookieMethod m, MethodAccess ma | @@ -41,6 +37,7 @@ private class ServletHeaderSplittingSink extends HeaderSplittingSink { } } +/** Servlet sources considered safe regarding header splitting */ private class ServletSafeHeaderSplittingSource extends SafeHeaderSplittingSource { ServletSafeHeaderSplittingSource() { this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or From b147be6fea8a9709b057431c7c277ae5328ee2dc Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 15:13:18 +0200 Subject: [PATCH 07/10] Restrict SafeHeaderSplittingSource to RemoteFlowSource --- java/ql/src/semmle/code/java/security/ResponseSplitting.qll | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index 4dcfc435819..02728211e94 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -2,6 +2,7 @@ import java import semmle.code.java.dataflow.DataFlow +import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.JaxWS @@ -9,7 +10,9 @@ import semmle.code.java.frameworks.JaxWS abstract class HeaderSplittingSink extends DataFlow::Node { } /** Sources that cannot be used to perform a header splitting attack. */ -abstract class SafeHeaderSplittingSource extends DataFlow::Node { } +abstract class SafeHeaderSplittingSource extends DataFlow::Node { + SafeHeaderSplittingSource() { this instanceof RemoteFlowSource } +} /** Servlet and JaxWS sinks susceptible to header splitting. */ private class ServletHeaderSplittingSink extends HeaderSplittingSink { From b3bb4cbf541c83eaec474a4599e9fe7a0b406508 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 16:14:21 +0200 Subject: [PATCH 08/10] Rename and update qldoc of default safe header splitting source --- java/ql/src/semmle/code/java/security/ResponseSplitting.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index 02728211e94..b53c90557f5 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -40,9 +40,9 @@ private class ServletHeaderSplittingSink extends HeaderSplittingSink { } } -/** Servlet sources considered safe regarding header splitting */ -private class ServletSafeHeaderSplittingSource extends SafeHeaderSplittingSource { - ServletSafeHeaderSplittingSource() { +/** Sources of data considered safe to use by header splitting sinks. */ +private class DefaultSafeHeaderSplittingSource extends SafeHeaderSplittingSource { + DefaultSafeHeaderSplittingSource() { this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod } From c739c733feeb66491271a4ce8b08829272b3aa9e Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 17:31:37 +0200 Subject: [PATCH 09/10] Update class qldocs Change the ql docs to meet the style-guide points 1 and 3 for classes. --- .../src/semmle/code/java/security/ResponseSplitting.qll | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index b53c90557f5..ce7d221159d 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -6,15 +6,15 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.JaxWS -/** Header-splitting sinks. Expressions that end up in an HTTP header. */ +/** A sink that is vulnerable to a HTTP header splitting attack. */ abstract class HeaderSplittingSink extends DataFlow::Node { } -/** Sources that cannot be used to perform a header splitting attack. */ +/** A source that introduces data considered safe to use by a header splitting source. */ abstract class SafeHeaderSplittingSource extends DataFlow::Node { SafeHeaderSplittingSource() { this instanceof RemoteFlowSource } } -/** Servlet and JaxWS sinks susceptible to header splitting. */ +/** A sink that identifies a Java Servlet or JaxWs method that is vulnerable to a HTTP header splitting attack. */ private class ServletHeaderSplittingSink extends HeaderSplittingSink { ServletHeaderSplittingSink() { exists(ResponseAddCookieMethod m, MethodAccess ma | @@ -40,7 +40,7 @@ private class ServletHeaderSplittingSink extends HeaderSplittingSink { } } -/** Sources of data considered safe to use by header splitting sinks. */ +/** A default source that introduces data considered safe to use by a header splitting source. */ private class DefaultSafeHeaderSplittingSource extends SafeHeaderSplittingSource { DefaultSafeHeaderSplittingSource() { this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or From c2733ad22e04d6af507a99e86f232d33f754fa25 Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Mon, 20 Jul 2020 14:55:00 +0200 Subject: [PATCH 10/10] Apply grammar suggestions Co-authored-by: Anders Schack-Mulligen --- java/ql/src/semmle/code/java/security/ResponseSplitting.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index ce7d221159d..d09e6567b15 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -6,7 +6,7 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.frameworks.Servlets import semmle.code.java.frameworks.JaxWS -/** A sink that is vulnerable to a HTTP header splitting attack. */ +/** A sink that is vulnerable to an HTTP header splitting attack. */ abstract class HeaderSplittingSink extends DataFlow::Node { } /** A source that introduces data considered safe to use by a header splitting source. */ @@ -14,7 +14,7 @@ abstract class SafeHeaderSplittingSource extends DataFlow::Node { SafeHeaderSplittingSource() { this instanceof RemoteFlowSource } } -/** A sink that identifies a Java Servlet or JaxWs method that is vulnerable to a HTTP header splitting attack. */ +/** A sink that identifies a Java Servlet or JaxWs method that is vulnerable to an HTTP header splitting attack. */ private class ServletHeaderSplittingSink extends HeaderSplittingSink { ServletHeaderSplittingSink() { exists(ResponseAddCookieMethod m, MethodAccess ma |