From dcbd6e0a112928cd4529aa9005b88b7606a84bcb Mon Sep 17 00:00:00 2001
From: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Date: Thu, 24 Oct 2019 10:27:40 -0400
Subject: [PATCH] Add CWE-113 check for
 io.netty.handler.codec.http.DefaultHttpHeaders

Closes #2185
---
 .../src/Security/CWE/CWE-113/NettyResponseSplitting.java | 9 +++++++++
 .../Security/CWE/CWE-113/NettyResponseSplitting.qhelp    | 5 +++++
 .../src/Security/CWE/CWE-113/NettyResponseSplitting.ql   | 7 +++++++
 java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp | 7 +++++++
 4 files changed, 28 insertions(+)
 create mode 100644 java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
 create mode 100644 java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp
 create mode 100644 java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql

diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
new file mode 100644
index 00000000000..499afdf0f3a
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
@@ -0,0 +1,9 @@
+import io.netty.handler.codec.http.DefaultHttpHeaders;
+
+public class ResponseSplitting {
+    // BAD: Disables the internal response splitting verification
+    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);
+
+    // GOOD: Verifies headers passed don't contain CLRF characters
+    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
+}
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp
new file mode 100644
index 00000000000..17afa6275fc
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp
@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="ResponseSplitting.qhelp" /></qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
new file mode 100644
index 00000000000..c7fb666d163
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -0,0 +1,7 @@
+import java
+
+from ClassInstanceExpr new
+where
+  new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
+  new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
+select new, "Response-splitting vulnerability due to verification being disabled."
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
index 87c2d03709b..aafdc26e49c 100644
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
@@ -26,6 +26,13 @@ characters, thus avoiding the potential problem.</p>
 <sample src="ResponseSplitting.java" />
 </example>
 
+<example>
+<p>The following example shows the use of the library 'netty' with HTTP response-splitting verification configurations.
+The second way will verify the parameters before using them to build the HTTP response.</p>
+
+<sample src="NettyResponseSplitting.java" />
+</example>
+
 <references>
 <li>
 InfosecWriters: <a href="http://www.infosecwriters.com/Papers/DCrab_HTTP_Response.pdf">HTTP response splitting</a>.