java.lang.security.audit.http-response-splitting.http-response-splitting

Community Favorite
profile photo of semgrepsemgrep
Author
73,396
Download Count*
LGPL Commons Clause
License

Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: http-response-splitting
    metadata:
      cwe:
        - "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers
          ('HTTP Request/Response Splitting')"
      owasp:
        - A03:2021 - Injection
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING
      references:
        - https://www.owasp.org/index.php/HTTP_Response_Splitting
      category: security
      technology:
        - java
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Validation
    message: Older Java application servers are vulnerable to HTTP response
      splitting, which may occur if an HTTP request can be injected with CRLF
      characters. This finding is reported for completeness; it is recommended
      to ensure your environment is not affected by testing this yourself.
    severity: INFO
    languages:
      - java
    pattern-either:
      - pattern: |
          $VAR = $REQ.getParameter(...);
          ...
          $COOKIE = new Cookie(..., $VAR, ...);
          ...
          $RESP.addCookie($COOKIE, ...);
      - patterns:
          - pattern-inside: |
              $RETTYPE $FUNC(...,@PathVariable $TYPE $VAR, ...) {
                ...
              }
          - pattern: |
              $COOKIE = new Cookie(..., $VAR, ...);
              ...
              $RESP.addCookie($COOKIE, ...);

Examples

http-response-splitting.java

@Controller
@RequestMapping("/api/test")
public class TestController {

    @RequestMapping(method = RequestMethod.GET)
    @PreAuthorize(Permissions.ADMIN)
    @ResponseBody
    public void list(HttpServletRequest request, HttpServletResponse response) {
        // ruleid:http-response-splitting
        String author = request.getParameter(AUTHOR_PARAMETER);
        Cookie cookie = new Cookie("author", author);
        response.addCookie(cookie);
    }

    @RequestMapping(value = "/{name}", method = RequestMethod.POST)
    @PreAuthorize(Permissions.USER)
    @ResponseBody
    public void load(@PathVariable final String name, HttpServletResponse response) throws APIException {
        // ruleid:http-response-splitting
        Cookie cookie = new Cookie("author", name);
        response.addCookie(cookie);
    }

    private Response safe(String name, Response response) {
        // ok:http-response-splitting
        Cookie cookie = new Cookie("author", name);
        response.addCookie(cookie);
        return response;
    }

    @RequestMapping(value = "/{name}/{book}", method = RequestMethod.POST)
    @PreAuthorize(Permissions.USER)
    @ResponseBody
    public void loadBook(@PathVariable final String name, @PathVariable final String book, HttpServletResponse response) throws APIException {
        AuthorObj author = AuthorObj.getAuthor(name, book);
        // ok:http-response-splitting
        Cookie cookie = new Cookie("sess", "1234");
        response.addCookie(cookie);
    }
}