gitlab.find_sec_bugs.HRS_REQUEST_PARAMETER_TO_COOKIE-1
unknown
Download Count*
License
This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.
Run Locally
Run in CI
Defintion
rules:
- id: find_sec_bugs.HRS_REQUEST_PARAMETER_TO_COOKIE-1
mode: taint
pattern-sources:
- pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameter(...);
pattern-sanitizers:
- patterns:
- pattern-inside: |
$STR.replaceAll("$REPLACE_CHAR", "$REPLACER");
...
- pattern: $STR
- metavariable-regex:
metavariable: $REPLACER
regex: .*^(CRLF).*
- metavariable-regex:
metavariable: $REPLACE_CHAR
regex: (*CRLF)
- pattern: org.apache.commons.text.StringEscapeUtils.unescapeJava(...);
pattern-sinks:
- pattern: new javax.servlet.http.Cookie("$KEY", ...);
- patterns:
- pattern-inside: |
$C = new javax.servlet.http.Cookie("$KEY", ...);
...
- pattern: $C.setValue(...);
message: >
This code constructs an HTTP Cookie using an untrusted HTTP parameter. If
this cookie is added
to an HTTP response, it will allow a HTTP response splitting vulnerability. See
http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.
languages:
- java
severity: ERROR
metadata:
category: security
cwe: "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP
Response Splitting')"
technology:
- java
primary_identifier: find_sec_bugs.HRS_REQUEST_PARAMETER_TO_COOKIE-1
secondary_identifiers:
- name: Find Security Bugs-HRS_REQUEST_PARAMETER_TO_COOKIE
type: find_sec_bugs_type
value: HRS_REQUEST_PARAMETER_TO_COOKIE
license: MIT
Short Link: https://sg.run/1k2Q