Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency in HTTP_RESPONSE_SPLITTING Rule: Discrepancy in Violation Reporting with Nested Class #719

Open
soyodream opened this issue Dec 22, 2023 · 0 comments
Open

Inconsistency in HTTP_RESPONSE_SPLITTING Rule: Discrepancy in Violation Reporting with Nested Class #719

soyodream opened this issue Dec 22, 2023 · 0 comments
Labels
false-negative Something that we have miss.

Comments

@soyodream
Copy link

Environment

Component Version
Java 11.0.19
FindSecBugs 1.12.0

Problem

I have identified an inconsistency in the detection behavior of the HTTP_RESPONSE_SPLITTING rule in find-sec-bugs. In the first code case, the rule correctly reports a Buginstance. However, when introducing a nested class, as shown in the second code case, the rule fails to report the Buginstance. This behavior is inconsistent.

Code

code1

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

class PersistentCookie extends HttpServlet {
   protected void doGet(HttpServletRequest req, HttpServletResponse resp)
           throws ServletException, IOException {
       String email = req.getParameter("email");
       if (email != null && !email.equals("")) {
           setCookieFor1Week(email);
       }
   }
   private void setCookieFor1Week(String email) {
       Cookie cookie = new Cookie("emailCookie", email);
       cookie.setMaxAge(3600 * 24 * 7);
   }
}

code2

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

class PersistentCookie1 extends HttpServlet {
    Object anonWrap =
            new Object() {
                protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                        throws ServletException, IOException {
                    String email = req.getParameter("email");
                    if (email != null && !email.equals("")) {
                        setCookieFor1Week(email);
                    }
                }
            };
    private void setCookieFor1Week(String email) {
        Cookie cookie = new Cookie("emailCookie", email);
        cookie.setMaxAge(3600 * 24 * 7);
    }
}
@h3xstream h3xstream added the false-negative Something that we have miss. label Feb 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false-negative Something that we have miss.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@h3xstream @soyodream