Move ResponseSplitting configuration to ResponseSplittingQuery.qll

egregius313 · egregius313 · commit 3eaa94a5d2d2 · 2023-03-29T17:59:33.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll
@@ -0,0 +1,40 @@
+/** Provides a taint tracking configuration to reason about response splitting vulnerabilities. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.ResponseSplitting
+
+/**
+ * A taint-tracking configuration for response splitting vulnerabilities.
+ */
+module ResponseSplittingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    not source instanceof SafeHeaderSplittingSource
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType
+    or
+    node.getType() instanceof BoxedType
+    or
+    exists(MethodAccess ma, string methodName, CompileTimeConstantExpr target |
+      node.asExpr() = ma and
+      ma.getMethod().hasQualifiedName("java.lang", "String", methodName) and
+      target = ma.getArgument(0) and
+      (
+        methodName = "replace" and target.getIntValue() = [10, 13] // 10 == "\n", 13 == "\r"
+        or
+        methodName = "replaceAll" and
+        target.getStringValue().regexpMatch(".*([\n\r]|\\[\\^[^\\]\r\n]*\\]).*")
+      )
+    )
+  }
+}
+
+/**
+ * Tracks flow from remote sources to response splitting vulnerabilities.
+ */
+module ResponseSplittingFlow = TaintTracking::Global<ResponseSplittingConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -12,42 +12,11 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.ResponseSplitting
+import semmle.code.java.security.ResponseSplittingQuery
+import ResponseSplittingFlow::PathGraph
 
-module ResponseSplittingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
-    not source instanceof SafeHeaderSplittingSource
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
-    or
-    exists(MethodAccess ma, string methodName, CompileTimeConstantExpr target |
-      node.asExpr() = ma and
-      ma.getMethod().hasQualifiedName("java.lang", "String", methodName) and
-      target = ma.getArgument(0) and
-      (
-        methodName = "replace" and target.getIntValue() = [10, 13] // 10 == "\n", 13 == "\r"
-        or
-        methodName = "replaceAll" and
-        target.getStringValue().regexpMatch(".*([\n\r]|\\[\\^[^\\]\r\n]*\\]).*")
-      )
-    )
-  }
-}
-
-module ResponseSplitting = TaintTracking::Global<ResponseSplittingConfig>;
-
-import ResponseSplitting::PathGraph
-
-from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
-where ResponseSplitting::flowPath(source, sink)
+from ResponseSplittingFlow::PathNode source, ResponseSplittingFlow::PathNode sink
+where ResponseSplittingFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "This header depends on a $@, which may cause a response-splitting vulnerability.",
   source.getNode(), "user-provided value"
