CWE-113: DefaultHttpHeaders HTTP Response Splitting Query

[JLLeitschuh]

I've been finding various places that are using io.netty.handler.codec.http.DefaultHttpHeaders with validation turned off, thus exposing those libraries to HTTP Response splitting.

Below is a simple query to find these cases:

import java

from ClassInstanceExpr new
where new.getConstructedType().hasQualifiedName("io.netty.handler.codec.http", "DefaultHttpHeaders")
  and new.getArgument(0).getProperExpr() instanceof BooleanLiteral
  and new.getArgument(0).getProperExpr().(BooleanLiteral).getBooleanValue() = false
select new

This query isn't really general, it's specific to this class however, it may still be valuable.

If I wanted to submit this as a query, would it be appropriate to name the file so that it is associated with the library impacted:
https://github.com/Semmle/ql/tree/master/java/ql/src/Security/CWE/CWE-113

---

Related CVE from my research:

• https://nvd.nist.gov/vuln/detail/CVE-2019-17513

Documentation improvement in netty:

• [DOC] Add CWE-113 warning to DefaultHttpHeaders constructor netty/netty#9646

---

If anyone at Semmle wants to use this query as-is and can drop it in quickly, feel free to integrate it.

[aschackmull]

I think that looks like a fine contribution. Would you mind submitting it as a PR? You can place it in a new file, say NettyResponseSplitting.ql, in https://github.com/Semmle/ql/tree/master/java/ql/src/Security/CWE/CWE-113.

[aschackmull]

Btw. you can remove the new.getArgument(0).getProperExpr() instanceof BooleanLiteral line to simplify the query a bit, as the cast to BooleanLiteral in the line below implies this. Unlike other languages, casts in QL won't fail with an exception; failing a cast simply means that the proposition doesn't hold.