Commit Graph
13 Commits
Author SHA1 Message Date
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
29803562eb (Snyk) Fixed finding: "Improper Neutralization of CRLF Sequences in HTTP Headers" (#3424)
## Remediation

This change fixes "Improper Neutralization of CRLF Sequences in HTTP
Headers" (id = java/HttpResponseSplitting) identified by Snyk.

## Details

This change ensures that HTTP response header values can't contain
newline characters, leaving you vulnerable to HTTP response splitting
and other attacks.

If malicious users can get newline characters into an HTTP response
header, they can inject and forge new header values that look like they
came from the server, and trick web gateways, proxies, and browsers.
This leads to vulnerabilities like Cross-site Scripting (XSS), HTTP
response splitting, and more attacks from there.

Our change simply makes sure that if the string passed to be a new
response header value is non-null, all the newline characters (CR and
LF) will be removed:
```diff
+ import io.github.pixee.security.Newlines;
  ...
  String orderId = getUserOrderId();
- response.setHeader("X-Acme-Order-ID", orderId);
+ response.setHeader("X-Acme-Order-ID", Newlines.stripAll(orderId));
```

Note: Many modern application servers will sanitize these values, but
it's almost never specified in documentation, and thus there is little
guarantee against regression. Given that, we still recommend this
practice.

<details>
  <summary>More reading</summary>

*
[https://cwe.mitre.org/data/definitions/113](https://cwe.mitre.org/data/definitions/113)
*
[https://www.netsparker.com/blog/web-security/crlf-http-header/](https://www.netsparker.com/blog/web-security/crlf-http-header/)
*
[https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
*
[https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/](https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/)
</details>

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2025-04-26 23:25:03 +01:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
3afacf2405 Switch order of literals to prevent NullPointerException (#2769)
This change defensively switches the order of literals in comparison
expressions to ensure that no null pointer exceptions are unexpectedly
thrown. Runtime exceptions especially can cause exceptional and
unexpected code paths to be taken, and this can result in unexpected
behavior.

Both simple vulnerabilities (like information disclosure) and complex
vulnerabilities (like business logic flaws) can take advantage of these
unexpected code paths.

Our changes look something like this:

```diff
  String fieldName = header.getFieldName();
  String fieldValue = header.getFieldValue();
- if(fieldName.equals("requestId")) {
+ if("requestId".equals(fieldName)) {
    logRequest(fieldValue);
  }
```

<details>
  <summary>More reading</summary>

*
[https://cwe.mitre.org/data/definitions/476.html](https://cwe.mitre.org/data/definitions/476.html)
*
[https://en.wikibooks.org/wiki/Java_Programming/Preventing_NullPointerException](https://en.wikibooks.org/wiki/Java_Programming/Preventing_NullPointerException)
*
[https://rules.sonarsource.com/java/RSPEC-1132/](https://rules.sonarsource.com/java/RSPEC-1132/)
</details>

🧚🤖  Powered by Pixeebot  

[Feedback](https://ask.pixee.ai/feedback) |
[Community](https://pixee-community.slack.com/signup#/domain-signup) |
[Docs](https://docs.pixee.ai/) | Codemod ID:
pixee:java/switch-literal-first
![](https://d1zaessa2hpsmj.cloudfront.net/pixel/v1/track?writeKey=2PI43jNm7atYvAuK7rJUz3Kcd6A&event=DRIP_PR%7CStirling-Tools%2FStirling-PDF%7Cc45a84d1797c774f11f1a6a0ccbbd8ee5a208be3)


<!--{"type":"DRIP","codemod":"pixee:java/switch-literal-first"}-->

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2025-01-22 10:39:47 +00:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
d832a90de0 (CodeQL) Fixed finding: "Arbitrary file access during archive extraction ("Zip Slip")
" (#2344)

(CodeQL) Fixed finding: "Arbitrary file access during archive extraction ("Zip Slip")
"

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2024-11-27 07:16:03 +00:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
af5e2b6895 Modernize and secure temp file creation (#2106)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2024-10-28 23:19:12 +00:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
09c9944fc3 Switch order of literals to prevent NullPointerException (#2035)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2024-10-18 07:15:10 +01:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>Anthony Stirlinggithub-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>GitHub Action
b31564968c Introduced protections against system command injection (#2011)
* Introduced protections against system command injection

* Update translation files (#2034)

Signed-off-by: GitHub Action <[email protected]>
Co-authored-by: GitHub Action <[email protected]>

---------

Signed-off-by: GitHub Action <[email protected]>
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
Co-authored-by: Anthony Stirling <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: GitHub Action <[email protected]>
2024-10-18 00:10:42 +01:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
b7d37deb85 Refactored to use parameterized SQL APIs (#1545)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2024-07-09 21:18:32 +01:00
pixeebot[bot]andGitHub 88338b4dbc (Sonar) Fixed finding: "Utility classes should not have public constructors" 2024-06-07 07:52:26 +00:00
pixeebot[bot]andGitHub 9147d364bc (Sonar) Fixed finding: "@Override should be used on overriding and implementing methods" 2024-06-07 04:38:10 +00:00
pixeebot[bot]andGitHub 503acc9408 Introduced protections against HTTP header injection / smuggling attacks 2024-05-07 03:44:03 +00:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
5564f378e5 (Sonar) Fix "String#replace should be preferred to String#replaceAll" (#1056)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2024-04-09 06:52:52 +01:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
54c3bee205 Replaced Stream.collect(Collectors.toList()) with Stream.toList() (Sonar) (#1018)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2024-04-03 22:41:24 +01:00
pixeebot[bot]GitHubpixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
1035a3be31 Define a constant for a literal string that is duplicated n times (Sonar) (#978)
Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
2024-03-28 17:44:10 +00:00