Skip to content

Commit c4cf2fe

Browse files
aschackmullaschackmull
committed
Java: Refactor ResponseSplitting, ResponseSplittingLocal
1 parent 9b02eb7 commit c4cf2fe

File tree

2 files changed

+20
-18
lines changed

2 files changed

+20
-18
lines changed

java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,19 +14,16 @@
1414
import java
1515
import semmle.code.java.dataflow.FlowSources
1616
import semmle.code.java.security.ResponseSplitting
17-
import DataFlow::PathGraph
1817

19-
class ResponseSplittingConfig extends TaintTracking::Configuration {
20-
ResponseSplittingConfig() { this = "ResponseSplittingConfig" }
21-
22-
override predicate isSource(DataFlow::Node source) {
18+
module ResponseSplittingConfig implements DataFlow::ConfigSig {
19+
predicate isSource(DataFlow::Node source) {
2320
source instanceof RemoteFlowSource and
2421
not source instanceof SafeHeaderSplittingSource
2522
}
2623

27-
override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
24+
predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
2825

29-
override predicate isSanitizer(DataFlow::Node node) {
26+
predicate isBarrier(DataFlow::Node node) {
3027
node.getType() instanceof PrimitiveType
3128
or
3229
node.getType() instanceof BoxedType
@@ -45,8 +42,12 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {
4542
}
4643
}
4744

48-
from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf
49-
where conf.hasFlowPath(source, sink)
45+
module ResponseSplitting = TaintTracking::Make<ResponseSplittingConfig>;
46+
47+
import ResponseSplitting::PathGraph
48+
49+
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
50+
where ResponseSplitting::hasFlowPath(source, sink)
5051
select sink.getNode(), source, sink,
5152
"This header depends on a $@, which may cause a response-splitting vulnerability.",
5253
source.getNode(), "user-provided value"

java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,23 +14,24 @@
1414
import java
1515
import semmle.code.java.dataflow.FlowSources
1616
import semmle.code.java.security.ResponseSplitting
17-
import DataFlow::PathGraph
1817

19-
class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
20-
ResponseSplittingLocalConfig() { this = "ResponseSplittingLocalConfig" }
18+
module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
19+
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
2120

22-
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
21+
predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
2322

24-
override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
25-
26-
override predicate isSanitizer(DataFlow::Node node) {
23+
predicate isBarrier(DataFlow::Node node) {
2724
node.getType() instanceof PrimitiveType or
2825
node.getType() instanceof BoxedType
2926
}
3027
}
3128

32-
from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingLocalConfig conf
33-
where conf.hasFlowPath(source, sink)
29+
module ResponseSplitting = TaintTracking::Make<ResponseSplittingLocalConfig>;
30+
31+
import ResponseSplitting::PathGraph
32+
33+
from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
34+
where ResponseSplitting::hasFlowPath(source, sink)
3435
select sink.getNode(), source, sink,
3536
"This header depends on a $@, which may cause a response-splitting vulnerability.",
3637
source.getNode(), "user-provided value"

0 commit comments

Comments
 (0)