gitlab.find_sec_bugs.HTTP_PARAMETER_POLLUTION-1

rules:
  - id: find_sec_bugs.HTTP_PARAMETER_POLLUTION-1
    mode: taint
    pattern-sources:
      - pattern: (HttpServletRequest $REQ).getParameter(...)
    pattern-sanitizers:
      - pattern: java.net.URLEncoder.encode(...)
      - pattern: com.google.common.net.UrlEscapers.urlPathSegmentEscaper().escape(...)
    pattern-sinks:
      - pattern: new org.apache.http.client.methods.HttpGet(...)
      - pattern: new org.apache.commons.httpclient.methods.GetMethod(...)
      - pattern: (org.apache.commons.httpclient.methods.GetMethod
          $GM).setQueryString(...)
    message: >
      Concatenating unvalidated user input into a URL can allow an attacker to
      override the value of

      a request parameter. Attacker may be able to override existing parameter values, inject a new

      parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks

      consist of injecting encoded query string delimiters into other existing parameters. If a web

      application does not properly sanitize the user input, a malicious user may compromise the

      logic of the application to perform either client-side or server-side attacks.
    languages:
      - java
    severity: ERROR
    metadata:
      category: security
      cwe: "CWE-88: Improper Neutralization of Argument Delimiters in a Command
        ('Argument Injection')"
      technology:
        - java
      primary_identifier: find_sec_bugs.HTTP_PARAMETER_POLLUTION-1
      secondary_identifiers:
        - name: Find Security Bugs-HTTP_PARAMETER_POLLUTION
          type: find_sec_bugs_type
          value: HTTP_PARAMETER_POLLUTION
      license: MIT