gitlab.find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1
unknown
Download Count*
License
This code directly writes an HTTP parameter to an HTTP header, which allows for a HTTP response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for more information.
Run Locally
Run in CI
Defintion
rules:
- id: find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1
mode: taint
pattern-sources:
- pattern: (javax.servlet.http.HttpServletRequest $REQ).getParameter(...);
pattern-sanitizers:
- patterns:
- pattern-inside: |
$STR.replaceAll("$REPLACE_CHAR", "$REPLACER");
...
- pattern: $STR
- metavariable-regex:
metavariable: $REPLACER
regex: .*^(CRLF).*
- metavariable-regex:
metavariable: $REPLACE_CHAR
regex: (*CRLF)
- pattern: org.apache.commons.text.StringEscapeUtils.unescapeJava(...);
pattern-sinks:
- pattern: (javax.servlet.http.HttpServletResponse $RES).setHeader("$KEY", ...);
- pattern: (javax.servlet.http.HttpServletResponse $RES).addHeader("$KEY", ...);
- pattern: (javax.servlet.http.HttpServletResponseWrapper $WRP).setHeader("$KEY",
...);
- pattern: (javax.servlet.http.HttpServletResponseWrapper $WRP).addHeader("$KEY",
...);
message: >
This code directly writes an HTTP parameter to an HTTP header, which
allows for a HTTP
response splitting vulnerability. See http://en.wikipedia.org/wiki/HTTP_response_splitting for
more information.
languages:
- java
severity: ERROR
metadata:
category: security
cwe: "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP
Response Splitting')"
technology:
- java
primary_identifier: find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER-1
secondary_identifiers:
- name: Find Security Bugs-HRS_REQUEST_PARAMETER_TO_HTTP_HEADER
type: find_sec_bugs_type
value: HRS_REQUEST_PARAMETER_TO_HTTP_HEADER
license: MIT
Short Link: https://sg.run/93NR