Add CWE-113 check for io.netty.handler.codec.http.DefaultHttpHeaders

Closes #2185

java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java

@@ -0,0 +1,9 @@
+import io.netty.handler.codec.http.DefaultHttpHeaders;
+
+public class ResponseSplitting {
+    // BAD: Disables the internal response splitting verification
+    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);
+
+    // GOOD: Verifies headers passed don't contain CLRF characters
+    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
+}

java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp

@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="ResponseSplitting.qhelp" /></qhelp>

java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql

@@ -0,0 +1,7 @@
+import java
+
+from ClassInstanceExpr new
+where
+  new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
+  new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
+select new, "Response-splitting vulnerability due to verification being disabled."

java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp

@@ -26,6 +26,13 @@ characters, thus avoiding the potential problem.</p>
 <sample src="ResponseSplitting.java" />
 </example>
 
+<example>
+<p>The following example shows the use of the library 'netty' with HTTP response-splitting verification configurations.
+The second way will verify the parameters before using them to build the HTTP response.</p>
+
+<sample src="NettyResponseSplitting.java" />
+</example>
+
 <references>
 <li>
 InfosecWriters: <a href="http://www.infosecwriters.com/Papers/DCrab_HTTP_Response.pdf">HTTP response splitting</a>.