Merge pull request #2764 from JLLeitschuh/patch-1

aschackmull · web-flow · commit aa8ebf4fe169 · 2020-02-06T12:19:04.000+01:00
Add DefaultFullHttpResponse to Netty Check
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -29,5 +29,12 @@ private class InsecureDefaultHttpResponseClassInstantiation extends InsecureNett
   }
 }
 
+private class InsecureDefaultFullHttpResponseClassInstantiation extends InsecureNettyObjectCreation {
+  InsecureDefaultFullHttpResponseClassInstantiation() {
+    getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpResponse") and
+    getArgument(3).(CompileTimeConstantExpr).getBooleanValue() = false
+  }
+}
+
 from InsecureNettyObjectCreation new
 select new, "Response-splitting vulnerability due to header value verification being disabled."

Original file line number	Diff line number	Diff line change
`@@ -29,5 +29,12 @@ private class InsecureDefaultHttpResponseClassInstantiation extends InsecureNett`
`29`	`29`	`}`
`30`	`30`	`}`
`31`	`31`
	`32`	`+private class InsecureDefaultFullHttpResponseClassInstantiation extends InsecureNettyObjectCreation {`
	`33`	`+ InsecureDefaultFullHttpResponseClassInstantiation() {`
	`34`	`+ getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultFullHttpResponse") and`
	`35`	`+ getArgument(3).(CompileTimeConstantExpr).getBooleanValue() = false`
	`36`	`+ }`
	`37`	`+}`
	`38`	`+`
`32`	`39`	`from InsecureNettyObjectCreation new`
`33`	`40`	`select new, "Response-splitting vulnerability due to header value verification being disabled."`