Documentation

2023-07-25 21:05:54 -04:00 · 2023-07-25 21:05:54 -04:00 · b567ec875a
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@ -26,6 +26,9 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
  TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }
 }

+/**
+ * A sanitizer for data that crosses a trust boundary.
+ */
 abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }

 /**
--- a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java
+++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java
@ -0,0 +1,8 @@
+public void doGet(HttpServletRequest request, HttpServletResponse response) {
+    String username = request.getParameter("username");
+
+    if (validator.isValidInput("HTTP parameter", username, "username", 20, false)) {
+        // GOOD: The input is sanitized before being written to the response.
+        request.getSession().setAttribute("username", username);
+    }
+}
--- a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp
+++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp
@ -22,12 +22,21 @@

  <recommendation>
    <p>
-      Validate input coming from a user. For example, if a web application accepts a cookie from a user, then the
-      application should validate the cookie before using it.
+      In order to maintain a trust boundary, data from less trusted sources should be validated before being used.
    </p>
  </recommendation>

  <example>
+    <p>
+      In the first (bad) example, the server accepts a parameter from the user and uses it to set the username without validation.
+    </p>
+    <sample src="examples/TrustBoundaryVulnerable.java" />
+
+    <p>
+      In the second (good) example, the server validates the parameter before using it to set the username.
+    </p>
+    <sample src="examples/TrustBoundaryFixed.java" />
+
  </example>

  <references>
--- a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java
+++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java
@ -0,0 +1,6 @@
+public void doGet(HttpServletRequest request, HttpServletResponse response) {
+    String username = request.getParameter("username");
+
+    // BAD: The input is written to the response without being sanitized.
+    request.getSession().setAttribute("username", username);
+}