Merge pull request #2550 from JLLeitschuh/task/JLL/improve_netty_response_splitting_detection

aschackmull · web-flow · commit d918cb1f6f2c · 2020-01-07T14:28:01.000+01:00
Add io.netty.handler.codec.http.DefaultHttpResponse to Netty Response Splitting Detection
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.java
@@ -5,5 +5,11 @@ public class ResponseSplitting {
     private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders(false);
 
     // GOOD: Verifies headers passed don't contain CRLF characters
-    private final DefaultHttpHeaders badHeaders = new DefaultHttpHeaders();
+    private final DefaultHttpHeaders goodHeaders = new DefaultHttpHeaders();
+
+    // BAD: Disables the internal response splitting verification
+    private final DefaultHttpResponse badResponse = new DefaultHttpResponse(version, httpResponseStatus, false);
+
+    // GOOD: Verifies headers passed don't contain CRLF characters
+    private final DefaultHttpResponse goodResponse = new DefaultHttpResponse(version, httpResponseStatus);
 }
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -13,8 +13,21 @@
 
 import java
 
-from ClassInstanceExpr new
-where
-  new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
-  new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
-select new, "Response-splitting vulnerability due to verification being disabled."
+abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr { }
+
+private class InsecureDefaultHttpHeadersClassInstantiation extends InsecureNettyObjectCreation {
+  InsecureDefaultHttpHeadersClassInstantiation() {
+    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders") and
+    getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false
+  }
+}
+
+private class InsecureDefaultHttpResponseClassInstantiation extends InsecureNettyObjectCreation {
+  InsecureDefaultHttpResponseClassInstantiation() {
+    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and
+    getArgument(2).(CompileTimeConstantExpr).getBooleanValue() = false
+  }
+}
+
+from InsecureNettyObjectCreation new
+select new, "Response-splitting vulnerability due to header value verification being disabled."
