Merge pull request #365 from aschackmull/java/response-splitting-whitelist-cookiename

Java: Whitelist Cookie::getName for HTTP response splitting.
2026-04-30 11:15:13 +02:00 · 2018-10-25 13:18:03 +01:00
parent cfe0b8803a 8fe1634fcc
commit c577f6d9f8
2 changed files with 9 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll
@@ -32,6 +32,7 @@ class HeaderSplittingSink extends DataFlow::ExprNode {

 class WhitelistedSource extends RemoteUserInput {
  WhitelistedSource() {
-    this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod
+    this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
+    this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
  }
 }
--- a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java
+++ b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java
@@ -24,7 +24,7 @@ public class ResponseSplitting extends HttpServlet {
 		}

 		// BAD: setting a header with an unvalidated parameter
-		// can lead to hTTP splitting
+		// can lead to HTTP splitting
 		response.addHeader("Content-type", request.getParameter("contentType"));
 		response.setHeader("Content-type", request.getParameter("contentType"));

@@ -42,4 +42,10 @@ public class ResponseSplitting extends HttpServlet {
 	private static String removeSpecial(String str) {
 		return str.replaceAll("[^a-zA-Z ]", "");
 	}
+
+	public void addCookieName(HttpServletResponse response, Cookie cookie) {
+		// GOOD: cookie.getName() cannot lead to HTTP splitting
+		Cookie cookie2 = new Cookie("name", cookie.getName());
+		response.addCookie(cookie2);
+	}
 }