Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
The product receives data from an HTTP agent/component, and it places this data in HTTP response headers without neutralizing CRLF sequences.
An attacker can inject CRLF sequences into HTTP headers to create additional headers or response body content. This can lead to cache poisoning, cross-site scripting, or other attacks.
この脆弱性の修正方法
3 件の Shoulder 検出ルールに基づく HTTP Response Splitting の予防策。
Strip CRLF characters from user input before setting HTTP headers
package main - import "net/http" - - func handler(w http.ResponseWriter, r *http.Request) { - lang := r.URL.Query().Get("lang") - // Vulnerable: user input set as header value - w.Header().Set("Content-Language", lang) + import ( + "net/http" + "strings" + ) + + func sanitizeHeaderValue(s string) string { + s = strings.ReplaceAll(s, "\r", "") + s = strings.ReplaceAll(s, "\n", "") + return s + } + + func handler(w http.ResponseWriter, r *http.Request) { + lang := r.URL.Query().Get("lang") + // Safe: CRLF characters stripped + w.Header().Set("Content-Language", sanitizeHeaderValue(lang)) w.Write([]byte("OK")) }
Strip CRLF characters from user input before using in HTTP headers
- from flask import request, make_response - - @app.route('/download') - def download(): - filename = request.args.get('filename') - response = make_response("content") - response.headers['Content-Disposition'] = f'attachment; filename="{filename}"' + import re + from flask import request, make_response + + def sanitize_header(value): + return re.sub(r'[\r\n]', '', str(value)) + + @app.route('/download') + def download(): + filename = request.args.get('filename', '') + safe_filename = sanitize_header(filename) + response = make_response("content") + response.headers['Content-Disposition'] = f'attachment; filename="{safe_filename}"' return response
コードの脆弱性を見つける
Shoulderを使用してコードのImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')パターンをスキャンしましょう。 3 ルール.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=113 # Or scan entire project npx @shoulderdev/cli trust .
検出ルール (3)
コードレビューで注目すべき点
これらのパターンはImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')の潜在的な脆弱性を示しています。コードレビューとセキュリティ監査中に探してください。
コードベースをスキャン: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Shoulder CLI はコードベース全体から脆弱なパターンを見つけます。