Update TimingAttackAgainstHeader.ql

ahmed-farid-dev · smowton · commit 36cf1010f81b · 2022-02-25T17:33:07.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
@@ -34,7 +34,7 @@ class ClientSuppliedIpTokenCheck extends DataFlow::Node {
       ma.getMethod().hasName("getHeader") and
       ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
           "x-auth-token", "x-csrf-token", "http_x_csrf_token", "x-csrf-param", "x-csrf-header", 
-           "http_x_csrf_token", "x-api-key"
+           "http_x_csrf_token", "x-api-key", "authorization", "proxy-authorization"
         ] and
       ma = this.asExpr()
     )

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ class ClientSuppliedIpTokenCheck extends DataFlow::Node {`
`34`	`34`	`ma.getMethod().hasName("getHeader") and`
`35`	`35`	`ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [`
`36`	`36`	`"x-auth-token", "x-csrf-token", "http_x_csrf_token", "x-csrf-param", "x-csrf-header",`
`37`		`- "http_x_csrf_token", "x-api-key"`
	`37`	`+ "http_x_csrf_token", "x-api-key", "authorization", "proxy-authorization"`
`38`	`38`	`] and`
`39`	`39`	`ma = this.asExpr()`
`40`	`40`	`)`