Add ResponseSplittingLocalQuery

egregius313 · egregius313 · commit e4f47ece431a · 2023-05-04T10:15:00.000-04:00
diff --git a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -9,4 +9,5 @@ category: minorAnalysis
 * Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
 * Added the `ExecTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow.
 * Added the `StackTraceExposureQuery.qll` library to provide the `printsStackExternally`, `stringifiedStackFlowsExternally`, and `getMessageFlowsExternally` predicates to reason about stack trace exposure vulnerabilities.
-* Added the `SqlTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToSqlFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow.
+* Added the `SqlTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToSqlFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow.
+* Added the `ResponseSplittingLocalQuery.qll` library to provide the `ResponseSplittingLocalFlow` taint-tracking module to reason about response splitting vulnerabilities caused by local data flow.
diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll
@@ -0,0 +1,24 @@
+/** Provides a taint-tracking configuration to reason about response splitting vulnerabilities from local user input. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.ResponseSplitting
+
+/**
+ * A taint-tracking configuration to reason about response splitting vulnerabilities from local user input.
+ */
+module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType
+  }
+}
+
+/**
+ * Taint-tracking flow for response splitting vulnerabilities from local user input.
+ */
+module ResponseSplittingLocalFlow = TaintTracking::Global<ResponseSplittingLocalConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -12,26 +12,11 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.ResponseSplitting
+import semmle.code.java.security.ResponseSplittingLocalQuery
+import ResponseSplittingLocalFlow::PathGraph
 
-module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
-    node.getType() instanceof BoxedType
-  }
-}
-
-module ResponseSplitting = TaintTracking::Global<ResponseSplittingLocalConfig>;
-
-import ResponseSplitting::PathGraph
-
-from ResponseSplitting::PathNode source, ResponseSplitting::PathNode sink
-where ResponseSplitting::flowPath(source, sink)
+from ResponseSplittingLocalFlow::PathNode source, ResponseSplittingLocalFlow::PathNode sink
+where ResponseSplittingLocalFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "This header depends on a $@, which may cause a response-splitting vulnerability.",
   source.getNode(), "user-provided value"
