From b567ec875a640a5dd0e7df09ce873491fbb6760e Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Tue, 25 Jul 2023 21:05:54 -0400 Subject: [PATCH] Documentation --- .../java/security/TrustBoundaryViolationQuery.qll | 3 +++ .../Security/CWE/CWE-501/TrustBoundaryFixed.java | 8 ++++++++ .../CWE/CWE-501/TrustBoundaryViolation.qhelp | 13 +++++++++++-- .../CWE/CWE-501/TrustBoundaryVulnerable.java | 6 ++++++ 4 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java create mode 100644 java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll index 1f84f98018f..337c228bc75 100644 --- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll @@ -26,6 +26,9 @@ class TrustBoundaryViolationSink extends DataFlow::Node { TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") } } +/** + * A sanitizer for data that crosses a trust boundary. + */ abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { } /** diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java new file mode 100644 index 00000000000..d9d3a29f314 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java @@ -0,0 +1,8 @@ +public void doGet(HttpServletRequest request, HttpServletResponse response) { + String username = request.getParameter("username"); + + if (validator.isValidInput("HTTP parameter", username, "username", 20, false)) { + // GOOD: The input is sanitized before being written to the response. + request.getSession().setAttribute("username", username); + } +} \ No newline at end of file diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp index 2c6148129d3..d4a5af8ed38 100644 --- a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp +++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp @@ -22,12 +22,21 @@

- Validate input coming from a user. For example, if a web application accepts a cookie from a user, then the - application should validate the cookie before using it. + In order to maintain a trust boundary, data from less trusted sources should be validated before being used.

+

+ In the first (bad) example, the server accepts a parameter from the user and uses it to set the username without validation. +

+ + +

+ In the second (good) example, the server validates the parameter before using it to set the username. +

+ + diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java new file mode 100644 index 00000000000..f3a38f8e22f --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java @@ -0,0 +1,6 @@ +public void doGet(HttpServletRequest request, HttpServletResponse response) { + String username = request.getParameter("username"); + + // BAD: The input is written to the response without being sanitized. + request.getSession().setAttribute("username", username); +} \ No newline at end of file