Java: Convert header splitting sinks to CSV format

tamasvajk · tamasvajk · commit 0b7a6671dd75 · 2021-04-09T13:06:05.000+02:00
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -76,6 +76,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.security.ResponseSplitting
 }
 
 private predicate sourceModelCsv(string row) {
diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -5,41 +5,30 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.frameworks.JaxWS
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** A sink that is vulnerable to an HTTP header splitting attack. */
-abstract class HeaderSplittingSink extends DataFlow::Node { }
+class HeaderSplittingSink extends DataFlow::Node {
+  HeaderSplittingSink() { sinkNode(this, "header-splitting") }
+}
+
+private class HeaderSplittingSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.servlet.http;HttpServletResponse;false;addCookie;;;Argument[0];header-splitting",
+        "javax.servlet.http;HttpServletResponse;false;addHeader;;;Argument;header-splitting",
+        "javax.servlet.http;HttpServletResponse;false;setHeader;;;Argument;header-splitting",
+        "javax.ws.rs.core;ResponseBuilder;false;header;;;Argument[1];header-splitting"
+      ]
+  }
+}
 
 /** A source that introduces data considered safe to use by a header splitting source. */
 abstract class SafeHeaderSplittingSource extends DataFlow::Node {
   SafeHeaderSplittingSource() { this instanceof RemoteFlowSource }
 }
 
-/** A sink that identifies a Java Servlet or JaxWs method that is vulnerable to an HTTP header splitting attack. */
-private class ServletHeaderSplittingSink extends HeaderSplittingSink {
-  ServletHeaderSplittingSink() {
-    exists(ResponseAddCookieMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.asExpr() = ma.getArgument(0)
-    )
-    or
-    exists(ResponseAddHeaderMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.asExpr() = ma.getAnArgument()
-    )
-    or
-    exists(ResponseSetHeaderMethod m, MethodAccess ma |
-      ma.getMethod() = m and
-      this.asExpr() = ma.getAnArgument()
-    )
-    or
-    exists(JaxRsResponseBuilder builder, Method m |
-      m = builder.getAMethod() and m.getName() = "header"
-    |
-      this.asExpr() = m.getAReference().getArgument(1)
-    )
-  }
-}
-
 /** A default source that introduces data considered safe to use by a header splitting source. */
 private class DefaultSafeHeaderSplittingSource extends SafeHeaderSplittingSource {
   DefaultSafeHeaderSplittingSource() {

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ private module Frameworks {`
`76`	`76`	`private import semmle.code.java.frameworks.ApacheHttp`
`77`	`77`	`private import semmle.code.java.frameworks.apache.Lang`
`78`	`78`	`private import semmle.code.java.frameworks.guava.Guava`
	`79`	`+ private import semmle.code.java.security.ResponseSplitting`
`79`	`80`	`}`
`80`	`81`
`81`	`82`	`private predicate sourceModelCsv(string row) {`