hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add documentation

Browse Source
This commit is contained in:
Joe Farebrother
2024-04-05 13:54:44 +01:00
parent 8636a50190
commit daa31b5bb7
4 changed files with 58 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
python/ql/src/Security/CWE-113/HeaderInjection.qhelp Normal file
View File

@@ -0,0 +1,41 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Directly writing user input (for example, an HTTP request parameter) to an HTTP header
can lead to an HTTP response-splitting vulnerability.</p>
<p>If user-controlled input is used in an HTTP header that allows line break characters, an attacker can
inject additional headers or control the response body, leading to vulnerabilities such as XSS or cache poisoning.
</p>
</overview>
<recommendation>
Ensure that user input containing line break characters is not written to an HTTP header.
</recommendation>
<example>
In the following example, the case marked BAD writes user input to the header name.
In the GOOD case, input is first escaped to not contain any line break characters.
<sample src="examples/header_injection.py" />
</example>
<references>
<li>
SecLists.org: <a href="https://seclists.org/bugtraq/2005/Apr/187">HTTP response splitting</a>.
</li>
<li>
OWASP:
<a href="https://www.owasp.org/index.php/HTTP_Response_Splitting">HTTP Response Splitting</a>.
</li>
<li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">HTTP response splitting</a>.
</li>
<li>
CAPEC: <a href="https://capec.mitre.org/data/definitions/105.html">CAPEC-105: HTTP Request Splitting</a>
</li>
</references>
</qhelp>

17
python/ql/src/Security/CWE-113/examples/header_injection.py Normal file
View File

@@ -0,0 +1,17 @@
@app.route("/example_bad")
def example_bad():
rfs_header = request.args["rfs_header"]
response = Response()
custom_header = "X-MyHeader-" + rfs_header
# BAD: User input is used as part of the header name.
response.headers[custom_header] = "HeaderValue"
return response
@app.route("/example_good")
def example_bad():
rfs_header = request.args["rfs_header"]
response = Response()
custom_header = "X-MyHeader-" + rfs_header.replace("\n", "").replace("\r","").replace(":","")
# GOOD: Line break characters are removed from the input.
response.headers[custom_header] = "HeaderValue"
return response