Skip to content

Potential fix for code scanning alert no. 44: HTTP response splitting #3504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
strehle merged 4 commits into from
Jun 23, 2025
Merged

Potential fix for code scanning alert no. 44: HTTP response splitting #3504

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1153fab
Potential fix for code scanning alert no. 44: HTTP response splitting
strehle Jun 2, 2025
b15ad2f
Merge remote-tracking branch 'origin/develop' into alert-autofix-44
strehle Jun 4, 2025
0b29416
Merge remote-tracking branch 'origin/develop' into alert-autofix-44
strehle Jun 22, 2025
2055ed7
refactor cookie creation
strehle Jun 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 2 additions & 15 deletions ...n/java/org/cloudfoundry/identity/uaa/login/AccountSavingAuthenticationSuccessHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@

import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand All @@ -30,10 +30,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;

import static java.nio.charset.StandardCharsets.UTF_8;
import static org.springframework.http.HttpHeaders.SET_COOKIE;

@Component
Expand Down Expand Up @@ -71,7 +68,7 @@
savedAccountOption.setOrigin(uaaPrincipal.getOrigin());
savedAccountOption.setUserId(uaaPrincipal.getId());
savedAccountOption.setUsername(uaaPrincipal.getName());
Cookie savedAccountCookie = new Cookie("Saved-Account-" + uaaPrincipal.getId(), encodeCookieValue(JsonUtils.writeValueAsString(savedAccountOption)));
Cookie savedAccountCookie = UaaUrlUtils.createSavedCookie(uaaPrincipal.getId(), savedAccountOption);
savedAccountCookie.setPath(request.getContextPath() + "/login");
savedAccountCookie.setHttpOnly(true);
savedAccountCookie.setSecure(request.isSecure());
Expand All @@ -81,7 +78,7 @@
response.addCookie(savedAccountCookie);
}

Cookie currentUserCookie = null;

Check warning

Code scanning / CodeQL

Cleartext storage of sensitive information in cookie Medium

This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
try {
currentUserCookie = currentUserCookieFactory.getCookie(uaaPrincipal);
} catch (CurrentUserCookieFactory.CurrentUserCookieEncodingException e) {
Expand All @@ -90,14 +87,4 @@
String headerValue = rfc6265CookieProcessor.generateHeader(currentUserCookie);
response.addHeader(SET_COOKIE, headerValue);
}

public static String encodeCookieValue(String inValue) throws IllegalArgumentException {
String out = null;
try {
out = URLEncoder.encode(inValue, UTF_8.name());
} catch (UnsupportedEncodingException e) {
throw new IllegalArgumentException(e);
}
return out;
}
}
3 changes: 2 additions & 1 deletion server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpoint.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import org.cloudfoundry.identity.uaa.util.MapCollector;
import org.cloudfoundry.identity.uaa.util.SessionUtils;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
import org.cloudfoundry.identity.uaa.web.UaaSavedRequestAwareAuthenticationSuccessHandler;
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration;
Expand Down Expand Up @@ -624,11 +625,11 @@

@RequestMapping(value = {"/delete_saved_account"})
public String deleteSavedAccount(HttpServletRequest request, HttpServletResponse response, String userId) {
Cookie cookie = new Cookie("Saved-Account-%s".formatted(userId), "");
Cookie cookie = UaaUrlUtils.createSavedCookie(userId, null);
cookie.setMaxAge(0);
cookie.setPath(request.getContextPath() + "/login");
cookie.setSecure(true);
response.addCookie(cookie);

Check warning

Code scanning / CodeQL

Cleartext storage of sensitive information in cookie Medium

This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
This stores cookie
new Cookie(...)
Loading
containing
sensitive data
Loading
which was
added to the cookie
Loading
.
return "redirect:/login";
}

Expand Down
19 changes: 19 additions & 0 deletions server/src/main/java/org/cloudfoundry/identity/uaa/util/UaaUrlUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,14 @@
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Collection;
import java.util.HashMap;
Expand All @@ -25,6 +28,7 @@
import java.util.StringTokenizer;
import java.util.regex.Pattern;

import static java.nio.charset.StandardCharsets.UTF_8;
import static java.util.Collections.emptyList;
import static java.util.Optional.ofNullable;
import static org.springframework.util.StringUtils.hasText;
Expand Down Expand Up @@ -310,6 +314,21 @@ public static String normalizeUri(String uri) {
return uriComponentsBuilder.build().toString();
}

public static String urlEncode(String inValue) throws IllegalArgumentException {
String out;
try {
out = URLEncoder.encode(inValue, UTF_8.name());
} catch (UnsupportedEncodingException e) {
throw new IllegalArgumentException(e);
}
return out;
}

public static Cookie createSavedCookie(String userId, Object value) {
String cookieValue = ObjectUtils.isEmpty(value) ? UaaStringUtils.EMPTY_STRING : urlEncode(JsonUtils.writeValueAsString(value));
return new Cookie("Saved-Account-%s".formatted(urlEncode(userId)), cookieValue);
}

private static String decodeUriPath(final String path) {
if (path == null) {
return null;
Expand Down
Loading