Cleanup Netty Response Splitting Query

JLLeitschuh · JLLeitschuh · commit 03fdee376768 · 2022-02-09T12:28:11.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -10,6 +10,7 @@
  * @id java/netty-http-request-or-response-splitting
  * @tags security
  *       external/cwe/cwe-113
+ *       external/capec/capec-105
  */
 
 import java
@@ -19,33 +20,34 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
   int vulnerableArgumentIndex;
 
   InsecureNettyObjectCreation() {
-    DataFlow::localExprFlow(any(CompileTimeConstantExpr ctce | ctce.getBooleanValue() = false), this.getArgument(vulnerableArgumentIndex))
+    DataFlow::localExprFlow(any(CompileTimeConstantExpr ctce | ctce.getBooleanValue() = false),
+      this.getArgument(vulnerableArgumentIndex))
   }
 
   abstract string splittingType();
 }
 
 abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
-  override string splittingType() { result = "Request-splitting or response-splitting" }
+  override string splittingType() { result = "Request splitting or response splitting" }
 }
 
 /**
  * Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection.
  */
 abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
-  override string splittingType() { result = "Request-splitting" }
+  override string splittingType() { result = "Request splitting" }
 }
 
 /**
  * Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning.
  */
 abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation {
-  override string splittingType() { result = "Response-splitting" }
+  override string splittingType() { result = "Response splitting" }
 }
 
 private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation {
   InsecureDefaultHttpHeadersClassInstantiation() {
-    getConstructedType()
+    this.getConstructedType()
         .hasQualifiedName("io.netty.handler.codec.http",
           ["DefaultHttpHeaders", "CombinedHttpHeaders"]) and
     vulnerableArgumentIndex = 0
@@ -54,28 +56,30 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp
 
 private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation {
   InsecureDefaultHttpResponseClassInstantiation() {
-    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and
+    this.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpResponse") and
     vulnerableArgumentIndex = 2
   }
 }
 
 private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation {
   InsecureDefaultHttpRequestClassInstantiation() {
-    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpRequest") and
+    this.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpRequest") and
     vulnerableArgumentIndex = 3
   }
 }
 
 private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation {
   InsecureDefaultFullHttpResponseClassInstantiation() {
-    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpResponse") and
+    this.getConstructedType()
+        .hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpResponse") and
     vulnerableArgumentIndex = [2, 3]
   }
 }
 
 private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation {
   InsecureDefaultFullHttpRequestClassInstantiation() {
-    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpRequest") and
+    this.getConstructedType()
+        .hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpRequest") and
     vulnerableArgumentIndex = [3, 4]
   }
 }
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.qhelp
@@ -14,7 +14,7 @@ This can allow an attacker to perform an SSRF-like attack.</p>
 <p>In the context of a servlet container, if the user input includes blank lines
 and the servlet container does not escape the blank lines,
 then a remote user can cause the response to turn into two separate responses. 
-The remote user can then control one response, which is also HTTP response splitting.</p>
+The remote user can then control one or more responses, which is also HTTP response splitting.</p>
 </overview>
 
 <recommendation>
@@ -59,5 +59,8 @@ OWASP:
 <li>
 Wikipedia: <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">HTTP response splitting</a>.
 </li>
+<li>
+CAPEC: <a href="https://capec.mitre.org/data/definitions/105.html">CAPEC-105: HTTP Request Splitting</a>
+</li>
 </references>
 </qhelp>
