Move source and sink into importable library

rvermeulen · rvermeulen · commit 7435dac3d20e · 2020-07-09T14:53:59.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -11,7 +11,8 @@
  */
 
 import java
-import ServletResponseSplitting
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.ResponseSplitting
 import DataFlow::PathGraph
 
 class ResponseSplittingConfig extends TaintTracking::Configuration {
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import ServletResponseSplitting
+import semmle.code.java.security.ResponseSplitting
 import DataFlow::PathGraph
 
 class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
diff --git a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll
diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -1,4 +1,6 @@
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.frameworks.Servlets
+import semmle.code.java.frameworks.JaxWS
 
 /**
  * Header-splitting sinks. Expressions that end up in an HTTP header.
@@ -9,3 +11,38 @@ abstract class HeaderSplittingSink extends DataFlow::Node { }
  * Sources that cannot be used to perform a header splitting attack.
  */
 abstract class SafeHeaderSplittingSource extends DataFlow::Node { }
+
+/**
+ * Header-splitting sinks. Expressions that end up in an HTTP header.
+ */
+private class ServletHeaderSplittingSink extends HeaderSplittingSink {
+  ServletHeaderSplittingSink() {
+    exists(ResponseAddCookieMethod m, MethodAccess ma |
+      ma.getMethod() = m and
+      this.asExpr() = ma.getArgument(0)
+    )
+    or
+    exists(ResponseAddHeaderMethod m, MethodAccess ma |
+      ma.getMethod() = m and
+      this.asExpr() = ma.getAnArgument()
+    )
+    or
+    exists(ResponseSetHeaderMethod m, MethodAccess ma |
+      ma.getMethod() = m and
+      this.asExpr() = ma.getAnArgument()
+    )
+    or
+    exists(JaxRsResponseBuilder builder, Method m |
+      m = builder.getAMethod() and m.getName() = "header"
+    |
+      this.asExpr() = m.getAReference().getArgument(1)
+    )
+  }
+}
+
+private class ServletSafeHeaderSplittingSource extends SafeHeaderSplittingSource {
+  ServletSafeHeaderSplittingSource() {
+    this.asExpr().(MethodAccess).getMethod() instanceof HttpServletRequestGetHeaderMethod or
+    this.asExpr().(MethodAccess).getMethod() instanceof CookieGetNameMethod
+  }
+}
