hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add ResponseSplittingLocalQuery

Browse Source
This commit is contained in:
Ed Minnix
2023-04-05 14:02:35 -04:00
parent 91b3533035
commit e4f47ece43
3 changed files with 30 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
View File

@@ -12,26 +12,11 @@
*/
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.ResponseSplitting
import semmle.code.java.security.ResponseSplittingLocalQuery
import ResponseSplittingLocalFlow::PathGraph
module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
predicate isBarrier(DataFlow::Node node) {
node.getType() instanceof PrimitiveType or
node.getType() instanceof BoxedType
}
}
module ResponseSplitting = TaintTracking::Global<ResponseSplittingLocalConfig>;
import ResponseSplitting::PathGraph
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
where ResponseSplitting::flowPath(source, sink)
from ResponseSplittingLocalFlow::PathNode source, ResponseSplittingLocalFlow::PathNode sink
where ResponseSplittingLocalFlow::flowPath(source, sink)
select sink.getNode(), source, sink,
"This header depends on a $@, which may cause a response-splitting vulnerability.",
source.getNode(), "user-provided value"