Merge pull request #1516 from aschackmull/java/http-response-splitting-fp-fix

yh-semmle · web-flow · commit 0bbc0d966e13 · 2019-06-27T19:47:48.000-04:00
Java: Add simple sanitizer for java/http-response-splitting.
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -23,6 +23,11 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -21,6 +21,11 @@ class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingLocalConfig conf

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,11 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }`
	`26`	`+`
	`27`	`+ override predicate isSanitizer(DataFlow::Node node) {`
	`28`	`+ node.getType() instanceof PrimitiveType or`
	`29`	`+ node.getType() instanceof BoxedType`
	`30`	`+ }`
`26`	`31`	`}`
`27`	`32`
`28`	`33`	`from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf`