Documentation

2026-04-22 15:25:18 +02:00 · 2023-07-25 21:05:54 -04:00
parent 55fae2daaa
commit b567ec875a
4 changed files with 28 additions and 2 deletions
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -26,6 +26,9 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
  TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }
 }

+/**
+ * A sanitizer for data that crosses a trust boundary.
+ */
 abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }

 /**
--- a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java
+++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java
@@ -0,0 +1,8 @@
+public void doGet(HttpServletRequest request, HttpServletResponse response) {
+    String username = request.getParameter("username");
+
+    if (validator.isValidInput("HTTP parameter", username, "username", 20, false)) {
+        // GOOD: The input is sanitized before being written to the response.
+        request.getSession().setAttribute("username", username);
+    }
+}
--- a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp
+++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp
@@ -22,12 +22,21 @@

  <recommendation>
    <p>
-      Validate input coming from a user. For example, if a web application accepts a cookie from a user, then the
-      application should validate the cookie before using it.
+      In order to maintain a trust boundary, data from less trusted sources should be validated before being used.
    </p>
  </recommendation>

  <example>
+    <p>
+      In the first (bad) example, the server accepts a parameter from the user and uses it to set the username without validation.
+    </p>
+    <sample src="examples/TrustBoundaryVulnerable.java" />
+
+    <p>
+      In the second (good) example, the server validates the parameter before using it to set the username.
+    </p>
+    <sample src="examples/TrustBoundaryFixed.java" />
+
  </example>

  <references>
--- a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java
+++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java
@@ -0,0 +1,6 @@
+public void doGet(HttpServletRequest request, HttpServletResponse response) {
+    String username = request.getParameter("username");
+
+    // BAD: The input is written to the response without being sanitized.
+    request.getSession().setAttribute("username", username);
+}