Extract HeaderSplittingSink and WhitelistedSource

rvermeulen · rvermeulen · commit 5f560e04659c · 2020-07-08T17:17:24.000+02:00
- Extract `HeaderSplittingSink` and `WhitelistedSource` into an
importable library.
- Rename the existing `HeaderSplittingSink` implementation to
`ServletHeaderSplittingSink`.
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -11,15 +11,15 @@
  */
 
 import java
-import ResponseSplitting
+import ServletResponseSplitting
 import DataFlow::PathGraph
 
 class ResponseSplittingConfig extends TaintTracking::Configuration {
   ResponseSplittingConfig() { this = "ResponseSplittingConfig" }
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
-    not source instanceof WhitelistedSource
+    not source instanceof TrustedSource
   }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import ResponseSplitting
+import ServletResponseSplitting
 import DataFlow::PathGraph
 
 class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
diff --git a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll
@@ -1,12 +1,13 @@
 import java
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.ResponseSplitting
 
 /**
  * Header-splitting sinks. Expressions that end up in an HTTP header.
  */
-class HeaderSplittingSink extends DataFlow::ExprNode {
-  HeaderSplittingSink() {
+class ServletHeaderSplittingSink extends HeaderSplittingSink {
+  ServletHeaderSplittingSink() {
     exists(ResponseAddCookieMethod m, MethodAccess ma |
       ma.getMethod() = m and
       this.getExpr() = ma.getArgument(0)
@@ -30,8 +31,8 @@ class HeaderSplittingSink extends DataFlow::ExprNode {
   }
 }
 
-class WhitelistedSource extends DataFlow::ExprNode {
-  WhitelistedSource() {
+class TrustedServletSource extends TrustedSource {
+  TrustedServletSource() {
     this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
     this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
   }
diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -0,0 +1,11 @@
+import semmle.code.java.dataflow.DataFlow
+
+/**
+ * Header-splitting sinks. Expressions that end up in an HTTP header.
+ */
+abstract class HeaderSplittingSink extends DataFlow::ExprNode { }
+
+/**
+ * Sources that cannot be used to perform a header splitting attack.
+ */
+abstract class TrustedSource extends DataFlow::ExprNode { }
