Move headers injection query and concept from experimental to main

joefarebrother · joefarebrother · commit 6021d9238c6e · 2024-04-24T14:05:37.000+01:00
diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll
@@ -1025,6 +1025,45 @@ module Http {
       }
     }
 
+    /**
+     * A data-flow node that sets a header in an HTTP response.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `ResponseHeaderWrite::Range` instead.
+     */
+    class ResponseHeaderWrite extends DataFlow::Node instanceof ResponseHeaderWrite::Range {
+      /**
+       * Gets the argument containing the header name.
+       */
+      DataFlow::Node getNameArg() { result = super.getNameArg() }
+
+      /**
+       * Gets the argument containing the header value.
+       */
+      DataFlow::Node getValueArg() { result = super.getValueArg() }
+    }
+
+    /** Provides a class for modelling header writes on HTTP responses. */
+    module ResponseHeaderWrite {
+      /**
+       *A data-flow node that sets a header in an HTTP response.
+       *
+       * Extend this class to model new APIs. If you want to refine existing API models,
+       * extend `ResponseHeaderWrite` instead.
+       */
+      abstract class Range extends DataFlow::Node {
+        /**
+         * Gets the argument containing the header name.
+         */
+        abstract DataFlow::Node getNameArg();
+
+        /**
+         * Gets the argument containing the header value.
+         */
+        abstract DataFlow::Node getValueArg();
+      }
+    }
+
     /**
      * A data-flow node that sets a cookie in an HTTP response.
      *
diff --git a/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll b/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll
@@ -1,17 +1,21 @@
+/**
+ * Provides a taint tracking configuration for reasoning about HTTP header injection.
+ */
+
 import python
-import experimental.semmle.python.Concepts
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.dataflow.new.RemoteFlowSources
 
 /**
- * A taint-tracking configuration for detecting HTTP Header injections.
+ * A taint-tracking configuration for detecting HTTP Header injection vulnerabilities.
  */
 private module HeaderInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(HeaderDeclaration headerDeclaration |
+    exists(Http::Server::ResponseHeaderWrite headerDeclaration |
       sink in [headerDeclaration.getNameArg(), headerDeclaration.getValueArg()]
     )
   }
diff --git a/python/ql/src/Security/CWE-113/HeaderInjection.ql b/python/ql/src/Security/CWE-113/HeaderInjection.ql
@@ -1,19 +1,19 @@
 /**
  * @name HTTP Header Injection
- * @description User input should not be used in HTTP headers, otherwise a malicious user
- *              may be able to inject a value that could manipulate the response.
+ * @description Writing user input directly to an HTTP header
+ *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.1
+ * @precision high
  * @id py/header-injection
  * @tags security
- *       experimental
  *       external/cwe/cwe-113
  *       external/cwe/cwe-079
  */
 
-// determine precision above
 import python
-import experimental.semmle.python.security.injection.HTTPHeaders
+import semmle.python.security.dataflow.HttpHeaderInjectionQuery
 import HeaderInjectionFlow::PathGraph
 
 from HeaderInjectionFlow::PathNode source, HeaderInjectionFlow::PathNode sink
diff --git a/python/ql/src/experimental/semmle/python/Concepts.qll b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -217,14 +217,14 @@ class SqlEscape extends DataFlow::Node instanceof SqlEscape::Range {
 }
 
 /** Provides classes for modeling HTTP Header APIs. */
-module HeaderDeclaration {
+deprecated module HeaderDeclaration {
   /**
    * A data-flow node that collects functions setting HTTP Headers.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `HeaderDeclaration` instead.
    */
-  abstract class Range extends DataFlow::Node {
+  abstract deprecated class Range extends DataFlow::Node {
     /**
      * Gets the argument containing the header name.
      */
@@ -243,7 +243,7 @@ module HeaderDeclaration {
  * Extend this class to refine existing API models. If you want to model new APIs,
  * extend `HeaderDeclaration::Range` instead.
  */
-class HeaderDeclaration extends DataFlow::Node instanceof HeaderDeclaration::Range {
+deprecated class HeaderDeclaration extends DataFlow::Node instanceof HeaderDeclaration::Range {
   /**
    * Gets the argument containing the header name.
    */
