Merge pull request #3928 from rvermeulen/java-importable-cwe-113

Java: Move `HeaderSplittingSink` and `WhitelistedSource` into importable library
2026-03-01 05:13:41 +01:00 · 2020-08-05 10:16:00 +02:00
parent 32d9d270fc c2733ad22e
commit 9e78341e43
4 changed files with 53 additions and 41 deletions
--- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
+++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -0,0 +1,49 @@
+/** Provides classes to reason about header splitting attacks. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.Servlets
+import semmle.code.java.frameworks.JaxWS
+
+/** A sink that is vulnerable to an HTTP header splitting attack. */
+abstract class HeaderSplittingSink extends DataFlow::Node { }
+
+/** A source that introduces data considered safe to use by a header splitting source. */
+abstract class SafeHeaderSplittingSource extends DataFlow::Node {
+  SafeHeaderSplittingSource() { this instanceof RemoteFlowSource }
+}
+
+/** A sink that identifies a Java Servlet or JaxWs method that is vulnerable to an HTTP header splitting attack. */
+private class ServletHeaderSplittingSink extends HeaderSplittingSink {
+  ServletHeaderSplittingSink() {
+    exists(ResponseAddCookieMethod m, MethodAccess ma |
+      ma.getMethod() = m and
+      this.asExpr() = ma.getArgument(0)
+    )
+    or
+    exists(ResponseAddHeaderMethod m, MethodAccess ma |
+      ma.getMethod() = m and
+      this.asExpr() = ma.getAnArgument()
+    )
+    or
+    exists(ResponseSetHeaderMethod m, MethodAccess ma |
+      ma.getMethod() = m and
+      this.asExpr() = ma.getAnArgument()
+    )
+    or
+    exists(JaxRsResponseBuilder builder, Method m |
+      m = builder.getAMethod() and m.getName() = "header"
+    |
+      this.asExpr() = m.getAReference().getArgument(1)
+    )
+  }
+}
+
+/** A default source that introduces data considered safe to use by a header splitting source. */
+private class DefaultSafeHeaderSplittingSource extends SafeHeaderSplittingSource {
+  DefaultSafeHeaderSplittingSource() {
+    this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
+    this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
+  }
+}