Merge pull request #2192 from JLLeitschuh/feature/JLL/http_response_splitting_netty

aschackmull · web-flow · commit 0ffcf9ce641b · 2019-10-28T15:01:20.000+01:00
Add CWE-113 check for io.netty.handler.codec.http.DefaultHttpHeaders
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
@@ -0,0 +1,9 @@
+import io.netty.handler.codec.http.DefaultHttpHeaders;
+
+public class ResponseSplitting {
+    // BAD: Disables the internal response splitting verification
+    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);
+
+    // GOOD: Verifies headers passed don't contain CRLF characters
+    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
+}
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.qhelp
@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="ResponseSplitting.qhelp" /></qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Disabled Netty HTTP header validation
+ * @description Disabling HTTP header validation makes code vulnerable to
+ *              attack by header splitting if user input is written directly to
+ *              an HTTP header.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/netty-http-response-splitting
+ * @tags security
+ *       external/cwe/cwe-113
+ */
+
+import java
+
+from ClassInstanceExpr new
+where
+  new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
+  new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
+select new, "Response-splitting vulnerability due to verification being disabled."
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
@@ -26,6 +26,13 @@ characters, thus avoiding the potential problem.</p>
 <sample src="ResponseSplitting.java" />
 </example>
 
+<example>
+<p>The following example shows the use of the library 'netty' with HTTP response-splitting verification configurations.
+The second way will verify the parameters before using them to build the HTTP response.</p>
+
+<sample src="NettyResponseSplitting.java" />
+</example>
+
 <references>
 <li>
 InfosecWriters: <a href="http://www.infosecwriters.com/Papers/DCrab_HTTP_Response.pdf">HTTP response splitting</a>.
