Java: Whitelist Cookie::getName for HTTP response splitting.

aschackmull · aschackmull · commit 1188e18837ad · 2018-10-25T12:02:33.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qll
@@ -32,6 +32,7 @@ class HeaderSplittingSink extends DataFlow::ExprNode {
 
 class WhitelistedSource extends RemoteUserInput {
   WhitelistedSource() {
-    this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod
+    this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
+    this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ class HeaderSplittingSink extends DataFlow::ExprNode {`
`32`	`32`
`33`	`33`	`class WhitelistedSource extends RemoteUserInput {`
`34`	`34`	`WhitelistedSource() {`
`35`		`- this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod`
	`35`	`+ this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or`
	`36`	`+ this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod`
`36`	`37`	`}`
`37`	`38`	`}`