hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2550 from JLLeitschuh/task/JLL/improve_netty_response_splitting_detection

Browse Source 
Add io.netty.handler.codec.http.DefaultHttpResponse to Netty Response Splitting Detection
This commit is contained in:
Anders Schack-Mulligen
2020-01-07 14:28:01 +01:00
committed by GitHub
parent 0e16969e15 0e2c5db7b1
commit d918cb1f6f
2 changed files with 25 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
View File

@@ -5,5 +5,11 @@ public class ResponseSplitting {
private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);
// GOOD: Verifies headers passed don't contain CRLF characters
private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();
// BAD: Disables the internal response splitting verification
private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);
// GOOD: Verifies headers passed don't contain CRLF characters
private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);
}

23
java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
View File

@@ -13,8 +13,21 @@
import java
from ClassInstanceExpr new
where
new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
select new, "Response-splitting vulnerability due to verification being disabled."
abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr { }
private class InsecureDefaultHttpHeadersClassInstantiation extends InsecureNettyObjectCreation {
InsecureDefaultHttpHeadersClassInstantiation() {
getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false
}
}
private class InsecureDefaultHttpResponseClassInstantiation extends InsecureNettyObjectCreation {
InsecureDefaultHttpResponseClassInstantiation() {
getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and
getArgument(2).(CompileTimeConstantExpr).getBooleanValue() = false
}
}
from InsecureNettyObjectCreation new
select new, "Response-splitting vulnerability due to header value verification being disabled."