diff --git a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md index 2ff22d11b8c..d63c3d150a6 100644 --- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md +++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md @@ -9,4 +9,5 @@ category: minorAnalysis * Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities. * Added the `ExecTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow. * Added the `StackTraceExposureQuery.qll` library to provide the `printsStackExternally`, `stringifiedStackFlowsExternally`, and `getMessageFlowsExternally` predicates to reason about stack trace exposure vulnerabilities. -* Added the `SqlTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToSqlFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow. \ No newline at end of file +* Added the `SqlTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToSqlFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow. +* Added the `ResponseSplittingLocalQuery.qll` library to provide the `ResponseSplittingLocalFlow` taint-tracking module to reason about response splitting vulnerabilities caused by local data flow. \ No newline at end of file diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll new file mode 100644 index 00000000000..1374096a79f --- /dev/null +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll @@ -0,0 +1,24 @@ +/** Provides a taint-tracking configuration to reason about response splitting vulnerabilities from local user input. */ + +import java +import semmle.code.java.dataflow.FlowSources +import semmle.code.java.security.ResponseSplitting + +/** + * A taint-tracking configuration to reason about response splitting vulnerabilities from local user input. + */ +module ResponseSplittingLocalConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } + + predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } + + predicate isBarrier(DataFlow::Node node) { + node.getType() instanceof PrimitiveType or + node.getType() instanceof BoxedType + } +} + +/** + * Taint-tracking flow for response splitting vulnerabilities from local user input. + */ +module ResponseSplittingLocalFlow = TaintTracking::Global; diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql index 402ad1ba1bc..804ead11a35 100644 --- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql +++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql @@ -12,26 +12,11 @@ */ import java -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.ResponseSplitting +import semmle.code.java.security.ResponseSplittingLocalQuery +import ResponseSplittingLocalFlow::PathGraph -module ResponseSplittingLocalConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - - predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink } - - predicate isBarrier(DataFlow::Node node) { - node.getType() instanceof PrimitiveType or - node.getType() instanceof BoxedType - } -} - -module ResponseSplitting = TaintTracking::Global; - -import ResponseSplitting::PathGraph - -from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink -where ResponseSplitting::flowPath(source, sink) +from ResponseSplittingLocalFlow::PathNode source, ResponseSplittingLocalFlow::PathNode sink +where ResponseSplittingLocalFlow::flowPath(source, sink) select sink.getNode(), source, sink, "This header depends on a $@, which may cause a response-splitting vulnerability.", source.getNode(), "user-provided value"