Documentation

egregius313 · egregius313 · commit b567ec875a64 · 2023-08-17T13:05:37.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -26,6 +26,9 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
   TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }
 }
 
+/**
+ * A sanitizer for data that crosses a trust boundary.
+ */
 abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }
 
 /**
diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryFixed.java
@@ -0,0 +1,8 @@
+public void doGet(HttpServletRequest request, HttpServletResponse response) {
+    String username = request.getParameter("username");
+
+    if (validator.isValidInput("HTTP parameter", username, "username", 20, false)) {
+        // GOOD: The input is sanitized before being written to the response.
+        request.getSession().setAttribute("username", username);
+    }
+}
diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.qhelp
@@ -22,12 +22,21 @@
 
   <recommendation>
     <p>
-      Validate input coming from a user. For example, if a web application accepts a cookie from a user, then the
-      application should validate the cookie before using it.
+      In order to maintain a trust boundary, data from less trusted sources should be validated before being used.
     </p>
   </recommendation>
 
   <example>
+    <p>
+      In the first (bad) example, the server accepts a parameter from the user and uses it to set the username without validation.
+    </p>
+    <sample src="examples/TrustBoundaryVulnerable.java" />
+
+    <p>
+      In the second (good) example, the server validates the parameter before using it to set the username.
+    </p>
+    <sample src="examples/TrustBoundaryFixed.java" />
+
   </example>
 
   <references>
diff --git a/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java b/java/ql/src/Security/CWE/CWE-501/TrustBoundaryVulnerable.java
@@ -0,0 +1,6 @@
+public void doGet(HttpServletRequest request, HttpServletResponse response) {
+    String username = request.getParameter("username");
+
+    // BAD: The input is written to the response without being sanitized.
+    request.getSession().setAttribute("username", username);
+}

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,9 @@ class TrustBoundaryViolationSink extends DataFlow::Node {`
`26`	`26`	`TrustBoundaryViolationSink() { sinkNode(this, "trust-boundary") }`
`27`	`27`	`}`
`28`	`28`
	`29`	`+/**`
	`30`	`+ * A sanitizer for data that crosses a trust boundary.`
	`31`	`+ */`
`29`	`32`	`abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }`
`30`	`33`
`31`	`34`	`/**`