Apply suggestions from code review for netty DefaultHttpHeaders

JLLeitschuh · aschackmull · web-flow · commit 934eed97df0a · 2019-10-25T12:30:16.000-04:00
Co-Authored-By: Anders Schack-Mulligen &lt;aschackmull@users.noreply.github.com&gt;
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
@@ -4,6 +4,6 @@ public class ResponseSplitting {
     // BAD: Disables the internal response splitting verification
     private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);
 
-    // GOOD: Verifies headers passed don't contain CLRF characters
+    // GOOD: Verifies headers passed don't contain CRLF characters
     private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
 }
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -1,3 +1,16 @@
+/**
+ * @name Disabled Netty HTTP header validation
+ * @description Disabling HTTP header validation makes code vulnerable to
+ *              attack by header splitting if user input is written directly to
+ *              an HTTP header.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/netty-http-response-splitting
+ * @tags security
+ *       external/cwe/cwe-113
+ */
+
 import java
 
 from ClassInstanceExpr new

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,6 @@ public class ResponseSplitting {`
`4`	`4`	`// BAD: Disables the internal response splitting verification`
`5`	`5`	`private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);`
`6`	`6`
`7`		`- // GOOD: Verifies headers passed don't contain CLRF characters`
	`7`	`+ // GOOD: Verifies headers passed don't contain CRLF characters`
`8`	`8`	`private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();`
`9`	`9`	`}`