Must-share information (formatted with Markdown):
- which versions are you using (SonarQube Server / Community Build, Scanner, Plugin, and any relevant extension)
9.9 build 65466 - how is SonarQube deployed: idk
- what are you trying to achieve
I’m trying to solve the SAST:find_sec_bugs.HRS_REQUEST_PARAMETER_TO_HTTP_HEADER vulnerability - what have you tried so far to achieve this
I tried that code, but still get the same message:
for (char c = 0; c < 0x21; c++) sb.append(c);
sb.append("\";,\\\u007F");
response.setHeader("Content-disposition","inline; filename=" + StringUtils.deleteAny(docGed.getName(), sb.toString()));
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
I sadly don’t have access to sonar logs, but here is the vulnerability message:
HTTP Response Splitting is a vulnerability where Carriage Return (CR
\r) and Line Feed (LF
\n) characters are introduced into an HTTP header from user-supplied input. By injecting the
\r\ncharacter sequence, an adversary could potentially modify how the response is interpreted by the client or any down stream caching services. This could allow an adversary to poison the cache data or execute Cross-Site Scripting (XSS) attacks. Some Java application servers such as [Apache Tomcat](https://tomcat.apache.org/) will automatically encode characters from being set in response headers as a space
0x20 character. If your application server does not automatically provide this functionality, user-supplied input that is used in header keys or values must be validated. Example of validating headers to only allow valid characters: ``` // throws an IllegalArgumentException if the provided value contains invalid characters public void validateHeader(String value) throws IllegalArgumentException { char[] chars = value.toCharArray(); // iterate over every character for (int i = 0; i < chars.length; i++) { char c = chars[i]; // check for any characters below 0x21 as well as: '"' ',' ';' '\' and 0x7f. if (c < 0x21 || c == '"' || c == ',' || c == ';' || c == '\\' || c == 0x7f) { ...