hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add io.netty.handler.codec.http.DefaultHttpResponse to Netty Response Splitting Detection

Browse Source 
Related: #2185
Related: https://github.com/github/security-lab/issues/22
This commit is contained in:
Jonathan Leitschuh
2019-12-17 12:07:32 -05:00
parent 9193a81e1a
commit b218374772
2 changed files with 25 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
View File

@@ -5,5 +5,11 @@ public class ResponseSplitting {
private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);
// GOOD: Verifies headers passed don't contain CRLF characters
private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();
// BAD: Disables the internal response splitting verification
private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);
// GOOD: Verifies headers passed don't contain CRLF characters
private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);
}

23
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
View File

@@ -13,8 +13,21 @@
import java
from ClassInstanceExpr new
where
new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
select new, "Response-splitting vulnerability due to verification being disabled."
abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr { }
private class InsecureDefaultHttpHeadersClassInstantiation extends InsecureNettyObjectCreation {
InsecureDefaultHttpHeadersClassInstantiation() {
getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
}
}
private class InsecureDefaultHttpResponseClassInstantiation extends InsecureNettyObjectCreation {
InsecureDefaultHttpResponseClassInstantiation() {
getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and
getArgument(2).getProperExpr().(BooleanLiteral).getBooleanValue() = false
}
}
from InsecureNettyObjectCreation new
select new, "Response-splitting vulnerability due to header value verification being disabled."