mirror of
https://github.com/github/codeql.git
synced 2026-04-24 16:25:15 +02:00
Merge pull request #3928 from rvermeulen/java-importable-cwe-113
Java: Move `HeaderSplittingSink` and `WhitelistedSource` into importable library
This commit is contained in:
Anders Schack-Mulligen
@@ -11,7 +11,8 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import ResponseSplitting
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.security.ResponseSplitting
|
||||
import DataFlow::PathGraph
|
||||
|
||||
class ResponseSplittingConfig extends TaintTracking::Configuration {
|
||||
@@ -19,7 +20,7 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source instanceof RemoteFlowSource and
|
||||
not source instanceof WhitelistedSource
|
||||
not source instanceof SafeHeaderSplittingSource
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
|
||||
|
||||
@@ -1,38 +0,0 @@
|
||||
import java
|
||||
import semmle.code.java.frameworks.Servlets
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
/**
|
||||
* Header-splitting sinks. Expressions that end up in an HTTP header.
|
||||
*/
|
||||
class HeaderSplittingSink extends DataFlow::ExprNode {
|
||||
HeaderSplittingSink() {
|
||||
exists(ResponseAddCookieMethod m, MethodAccess ma |
|
||||
ma.getMethod() = m and
|
||||
this.getExpr() = ma.getArgument(0)
|
||||
)
|
||||
or
|
||||
exists(ResponseAddHeaderMethod m, MethodAccess ma |
|
||||
ma.getMethod() = m and
|
||||
this.getExpr() = ma.getAnArgument()
|
||||
)
|
||||
or
|
||||
exists(ResponseSetHeaderMethod m, MethodAccess ma |
|
||||
ma.getMethod() = m and
|
||||
this.getExpr() = ma.getAnArgument()
|
||||
)
|
||||
or
|
||||
exists(JaxRsResponseBuilder builder, Method m |
|
||||
m = builder.getAMethod() and m.getName() = "header"
|
||||
|
|
||||
this.getExpr() = m.getAReference().getArgument(1)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
class WhitelistedSource extends DataFlow::ExprNode {
|
||||
WhitelistedSource() {
|
||||
this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
|
||||
this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
|
||||
}
|
||||
}
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import ResponseSplitting
|
||||
import semmle.code.java.security.ResponseSplitting
|
||||
import DataFlow::PathGraph
|
||||
|
||||
class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
|
||||
|
||||
49
java/ql/src/semmle/code/java/security/ResponseSplitting.qll
Normal file
49
java/ql/src/semmle/code/java/security/ResponseSplitting.qll
Normal file
@@ -0,0 +1,49 @@
|
||||
/** Provides classes to reason about header splitting attacks. */
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.frameworks.Servlets
|
||||
import semmle.code.java.frameworks.JaxWS
|
||||
|
||||
/** A sink that is vulnerable to an HTTP header splitting attack. */
|
||||
abstract class HeaderSplittingSink extends DataFlow::Node { }
|
||||
|
||||
/** A source that introduces data considered safe to use by a header splitting source. */
|
||||
abstract class SafeHeaderSplittingSource extends DataFlow::Node {
|
||||
SafeHeaderSplittingSource() { this instanceof RemoteFlowSource }
|
||||
}
|
||||
|
||||
/** A sink that identifies a Java Servlet or JaxWs method that is vulnerable to an HTTP header splitting attack. */
|
||||
private class ServletHeaderSplittingSink extends HeaderSplittingSink {
|
||||
ServletHeaderSplittingSink() {
|
||||
exists(ResponseAddCookieMethod m, MethodAccess ma |
|
||||
ma.getMethod() = m and
|
||||
this.asExpr() = ma.getArgument(0)
|
||||
)
|
||||
or
|
||||
exists(ResponseAddHeaderMethod m, MethodAccess ma |
|
||||
ma.getMethod() = m and
|
||||
this.asExpr() = ma.getAnArgument()
|
||||
)
|
||||
or
|
||||
exists(ResponseSetHeaderMethod m, MethodAccess ma |
|
||||
ma.getMethod() = m and
|
||||
this.asExpr() = ma.getAnArgument()
|
||||
)
|
||||
or
|
||||
exists(JaxRsResponseBuilder builder, Method m |
|
||||
m = builder.getAMethod() and m.getName() = "header"
|
||||
|
|
||||
this.asExpr() = m.getAReference().getArgument(1)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** A default source that introduces data considered safe to use by a header splitting source. */
|
||||
private class DefaultSafeHeaderSplittingSource extends SafeHeaderSplittingSource {
|
||||
DefaultSafeHeaderSplittingSource() {
|
||||
this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
|
||||
this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user