Split qhelp files

Author: artem-smotrakov

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.qhelp

@@ -1,82 +1,8 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
 <qhelp>
-
-<overview>
-<p>
-The Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
-for creating remote service exporters.
-A Spring exporter, which is based on this class, deserializes incoming data using <code>ObjectInputStream</code>.
-Deserializing untrusted data is easily exploitable and in many cases allows an attacker
-to execute arbitrary code.
-</p>
-<p>
-The Spring Framework also provides two classes that extend <code>RemoteInvocationSerializingExporter</code>:
-<li>
-<code>HttpInvokerServiceExporter</code>
-</li>
-<li>
-<code>SimpleHttpInvokerServiceExporter</code>
-</li>
-</p>
-<p>
-These classes export specified beans as HTTP endpoints that deserialize data from an HTTP request
-using unsafe <code>ObjectInputStream</code>. If a remote attacker can reach such endpoints,
-it results in remote code execution in the worst case.
-</p>
-<p>
-CVE-2016-1000027 has been assigned to this issue in the Spring Framework.
-It is regarded as a design limitation, and can be mitigated but not fixed outright.
-</p>
-</overview>
-
-<recommendation>
-<p>
-Avoid using <code>HttpInvokerServiceExporter</code>, <code>SimpleHttpInvokerServiceExporter</code>
-and any other exporter that is based on <code>RemoteInvocationSerializingExporter</code>.
-Instead, use other message formats for API endpoints (for example, JSON),
-but make sure that the underlying deserialization mechanism is properly configured
-so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
-consider using global deserialization filters introduced in JEP 290.
-</p>
-</recommendation>
-
-<example>
-<p>
-The following example shows how a vulnerable HTTP endpoint can be defined
-using <code>HttpInvokerServiceExporter</code> and Spring annotations:
-</p>
-<sample src="SpringExporterUnsafeDeserialization.java" />
-</example>
-
-<references>
-<li>
-OWASP:
-<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>.
-</li>
-<li>
-Spring Framework API documentation:
-<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.html">RemoteInvocationSerializingExporter class</a>
-</li>
-<li>
-Spring Framework API documentation:
-<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html">HttpInvokerServiceExporter class</a>
-</li>
-<li>
-National Vulnerability Database:
-<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000027">CVE-2016-1000027</a>
-</li>
-<li>
-Tenable Research Advisory:
-<a href="https://www.tenable.com/security/research/tra-2016-20">[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization</a>
-</li>
-<li>
-Spring Framework bug tracker:
-<a href="https://github.com/spring-projects/spring-framework/issues/24434">Sonatype vulnerability CVE-2016-1000027 in Spring-web project</a>  
-</li>
-<li>
-OpenJDK:
-<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a>
-</li>
-</references>
-
+  <include src="UnsafeSpringExporterQuery.inc.qhelp" />
+  <include src="UnsafeSpringExporterInConfigurationClassExample.inc.qhelp" />
+  <include src="UnsafeSpringExporterReferences.inc.qhelp" />
 </qhelp>

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClassExample.inc.qhelp

@@ -0,0 +1,14 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<example>
+<p>
+The following example shows how a vulnerable HTTP endpoint can be defined
+using <code>HttpInvokerServiceExporter</code> and Spring annotations:
+</p>
+<sample src="SpringExporterUnsafeDeserialization.java" />
+</example>
+
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.qhelp

@@ -1,81 +1,8 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
 <qhelp>
-
-<overview>
-<p>
-The Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
-for creating remote service exporters.
-A Spring exporter, which is based on this class, deserializes incoming data using <code>ObjectInputStream</code>.
-Deserializing untrusted data is easily exploitable and in many cases allows an attacker
-to execute arbitrary code.
-</p>
-<p>
-The Spring Framework also provides two classes that extend <code>RemoteInvocationSerializingExporter</code>:
-<li>
-<code>HttpInvokerServiceExporter</code>
-</li>
-<li>
-<code>SimpleHttpInvokerServiceExporter</code>
-</li>
-</p>
-<p>
-These classes export specified beans as HTTP endpoints that deserialize data from an HTTP request
-using unsafe <code>ObjectInputStream</code>. If a remote attacker can reach such endpoints,
-it results in remote code execution in the worst case.
-</p>
-<p>
-CVE-2016-1000027 has been assigned to this issue in the Spring Framework.
-It is regarded as a design limitation, and can be mitigated but not fixed outright.
-</p>
-</overview>
-
-<recommendation>
-<p>
-Avoid using <code>HttpInvokerServiceExporter</code>, <code>SimpleHttpInvokerServiceExporter</code>
-and any other exporter that is based on <code>RemoteInvocationSerializingExporter</code>.
-Instead, use other message formats for API endpoints (for example, JSON),
-but make sure that the underlying deserialization mechanism is properly configured
-so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
-consider using global deserialization filters introduced in JEP 290.
-</p>
-</recommendation>
-
-<example>
-<p>
-The following examples shows how a vulnerable HTTP endpoint can be defined in a Spring XML config:
-</p>
-<sample src="SpringExporterUnsafeDeserialization.xml" />
-</example>
-
-<references>
-<li>
-OWASP:
-<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>.
-</li>
-<li>
-Spring Framework API documentation:
-<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.html">RemoteInvocationSerializingExporter class</a>
-</li>
-<li>
-Spring Framework API documentation:
-<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html">HttpInvokerServiceExporter class</a>
-</li>
-<li>
-National Vulnerability Database:
-<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000027">CVE-2016-1000027</a>
-</li>
-<li>
-Tenable Research Advisory:
-<a href="https://www.tenable.com/security/research/tra-2016-20">[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization</a>
-</li>
-<li>
-Spring Framework bug tracker:
-<a href="https://github.com/spring-projects/spring-framework/issues/24434">Sonatype vulnerability CVE-2016-1000027 in Spring-web project</a>  
-</li>
-<li>
-OpenJDK:
-<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a>
-</li>
-</references>
-
+  <include src="UnsafeSpringExporterQuery.inc.qhelp" />
+  <include src="UnsafeSpringExporterInXMLConfigurationExample.inc.qhelp" />
+  <include src="UnsafeSpringExporterReferences.inc.qhelp" />
 </qhelp>

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfigurationExample.inc.qhelp

@@ -0,0 +1,13 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<example>
+<p>
+The following examples shows how a vulnerable HTTP endpoint can be defined in a Spring XML config:
+</p>
+<sample src="SpringExporterUnsafeDeserialization.xml" />
+</example>
+
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterQuery.inc.qhelp

@@ -0,0 +1,41 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+The Spring Framework provides an abstract base class <code>RemoteInvocationSerializingExporter</code>
+for creating remote service exporters.
+A Spring exporter, which is based on this class, deserializes incoming data using <code>ObjectInputStream</code>.
+Deserializing untrusted data is easily exploitable and in many cases allows an attacker
+to execute arbitrary code.
+</p>
+<p>
+The Spring Framework also provides <code>HttpInvokerServiceExporter</code>
+and <code>SimpleHttpInvokerServiceExporter</code> classes
+that extend <code>RemoteInvocationSerializingExporter</code>.
+</p>
+<p>
+These classes export specified beans as HTTP endpoints that deserialize data from an HTTP request
+using unsafe <code>ObjectInputStream</code>. If a remote attacker can reach such endpoints,
+it results in remote code execution in the worst case.
+</p>
+<p>
+CVE-2016-1000027 has been assigned to this issue in the Spring Framework.
+It is regarded as a design limitation, and can be mitigated but not fixed outright.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid using <code>HttpInvokerServiceExporter</code>, <code>SimpleHttpInvokerServiceExporter</code>
+and any other exporter that is based on <code>RemoteInvocationSerializingExporter</code>.
+Instead, use other message formats for API endpoints (for example, JSON),
+but make sure that the underlying deserialization mechanism is properly configured
+so that deserialization attacks are not possible. If the vulnerable exporters can not be replaced,
+consider using global deserialization filters introduced in JEP 290.
+</p>
+</recommendation>
+
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterReferences.inc.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Deserialization_of_untrusted_data">Deserialization of untrusted data</a>.
+</li>
+<li>
+Spring Framework API documentation:
+<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/rmi/RemoteInvocationSerializingExporter.html">RemoteInvocationSerializingExporter class</a>
+</li>
+<li>
+Spring Framework API documentation:
+<a href="https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/remoting/httpinvoker/HttpInvokerServiceExporter.html">HttpInvokerServiceExporter class</a>
+</li>
+<li>
+National Vulnerability Database:
+<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-1000027">CVE-2016-1000027</a>
+</li>
+<li>
+Tenable Research Advisory:
+<a href="https://www.tenable.com/security/research/tra-2016-20">[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization</a>
+</li>
+<li>
+Spring Framework bug tracker:
+<a href="https://github.com/spring-projects/spring-framework/issues/24434">Sonatype vulnerability CVE-2016-1000027 in Spring-web project</a>  
+</li>
+<li>
+OpenJDK:
+<a href="https://openjdk.java.net/jeps/290">JEP 290: Filter Incoming Serialization Data</a>
+</li>
+</references>
+
+</qhelp>