diff --git a/java/change-notes/2021-05-21-more-response-splitting-sinks.md b/java/change-notes/2021-05-21-more-response-splitting-sinks.md new file mode 100644 index 000000000000..1ad79d03f4a1 --- /dev/null +++ b/java/change-notes/2021-05-21-more-response-splitting-sinks.md @@ -0,0 +1,2 @@ +lgtm,codescanning +* Add more methods from javax.servlet.http.HttpServletResponse as response splitting sinks. diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll index 70af02efc6dc..065c7c987cfb 100644 --- a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll +++ b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll @@ -18,6 +18,11 @@ private class HeaderSplittingSinkModel extends SinkModelCsv { override predicate row(string row) { row = [ + "javax.servlet.http;HttpServletResponse;false;sendRedirect;;;Argument[0];header-splitting", + "javax.servlet.http;HttpServletResponse;false;addDateHeader;;;Argument[0];header-splitting", + "javax.servlet.http;HttpServletResponse;false;setDateHeader;;;Argument[0];header-splitting", + "javax.servlet.http;HttpServletResponse;false;addIntHeader;;;Argument[0];header-splitting", + "javax.servlet.http;HttpServletResponse;false;setIntHeader;;;Argument[0];header-splitting", "javax.servlet.http;HttpServletResponse;false;addCookie;;;Argument[0];header-splitting", "javax.servlet.http;HttpServletResponse;false;addHeader;;;Argument[0..1];header-splitting", "javax.servlet.http;HttpServletResponse;false;setHeader;;;Argument[0..1];header-splitting", diff --git a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected index 1b4efe7781e2..02c2459f4207 100644 --- a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected +++ b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected @@ -7,7 +7,17 @@ nodes | ResponseSplitting.java:23:23:23:28 | cookie | semmle.label | cookie | | ResponseSplitting.java:28:38:28:72 | getParameter(...) | semmle.label | getParameter(...) | | ResponseSplitting.java:29:38:29:72 | getParameter(...) | semmle.label | getParameter(...) | +| ResponseSplitting.java:30:25:30:52 | getParameter(...) | semmle.label | getParameter(...) | +| ResponseSplitting.java:31:26:31:53 | getParameter(...) | semmle.label | getParameter(...) | +| ResponseSplitting.java:32:26:32:53 | getParameter(...) | semmle.label | getParameter(...) | +| ResponseSplitting.java:33:25:33:52 | getParameter(...) | semmle.label | getParameter(...) | +| ResponseSplitting.java:34:25:34:52 | getParameter(...) | semmle.label | getParameter(...) | #select | ResponseSplitting.java:23:23:23:28 | cookie | ResponseSplitting.java:22:39:22:66 | getParameter(...) : String | ResponseSplitting.java:23:23:23:28 | cookie | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:22:39:22:66 | getParameter(...) | user-provided value | | ResponseSplitting.java:28:38:28:72 | getParameter(...) | ResponseSplitting.java:28:38:28:72 | getParameter(...) | ResponseSplitting.java:28:38:28:72 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:28:38:28:72 | getParameter(...) | user-provided value | | ResponseSplitting.java:29:38:29:72 | getParameter(...) | ResponseSplitting.java:29:38:29:72 | getParameter(...) | ResponseSplitting.java:29:38:29:72 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:29:38:29:72 | getParameter(...) | user-provided value | +| ResponseSplitting.java:30:25:30:52 | getParameter(...) | ResponseSplitting.java:30:25:30:52 | getParameter(...) | ResponseSplitting.java:30:25:30:52 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:30:25:30:52 | getParameter(...) | user-provided value | +| ResponseSplitting.java:31:26:31:53 | getParameter(...) | ResponseSplitting.java:31:26:31:53 | getParameter(...) | ResponseSplitting.java:31:26:31:53 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:31:26:31:53 | getParameter(...) | user-provided value | +| ResponseSplitting.java:32:26:32:53 | getParameter(...) | ResponseSplitting.java:32:26:32:53 | getParameter(...) | ResponseSplitting.java:32:26:32:53 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:32:26:32:53 | getParameter(...) | user-provided value | +| ResponseSplitting.java:33:25:33:52 | getParameter(...) | ResponseSplitting.java:33:25:33:52 | getParameter(...) | ResponseSplitting.java:33:25:33:52 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:33:25:33:52 | getParameter(...) | user-provided value | +| ResponseSplitting.java:34:25:34:52 | getParameter(...) | ResponseSplitting.java:34:25:34:52 | getParameter(...) | ResponseSplitting.java:34:25:34:52 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:34:25:34:52 | getParameter(...) | user-provided value | diff --git a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java index d8bdd7e1731c..8a472dfde79d 100644 --- a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java +++ b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java @@ -27,6 +27,11 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // can lead to HTTP splitting response.addHeader("Content-type", request.getParameter("contentType")); response.setHeader("Content-type", request.getParameter("contentType")); + response.sendRedirect(request.getParameter("name")); + response.addDateHeader(request.getParameter("name"), 0); + response.setDateHeader(request.getParameter("name"), 0); + response.addIntHeader(request.getParameter("name"), 0); + response.setIntHeader(request.getParameter("name"), 0); // GOOD: remove special characters before putting them in the header {