Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

ID

scala.inject.scala_inject_rule_httpparameterpollution

Severity

high

Resource

Inject

Language

Scala

Description

Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks.

Rationale

Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks.

The following code illustrates a vulnerable pattern detected by this rule:

class HttpParameterPollution extends HttpServlet {
  override def doGet(request: HttpServletRequest, response: HttpServletResponse): Unit = {
    try {
      val item = request.getParameter("item")
      //in HttpClient 4.x, there is no GetMethod anymore. Instead there is HttpGet
      val httpget = new HttpGet("http://host.com?param=" + URLEncoder.encode(item)) //OK
      // VULNERABLE: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
      val httpget2 = new HttpGet("http://host.com?param=" + item) //BAD
      val httpget3 = new HttpGet("http://host.com?param=" + urlPathSegmentEscaper().escape(item))
      // VULNERABLE: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
      val get = new GetMethod("http://host.com?param=" + item)
      // VULNERABLE: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
      get.setQueryString("item=" + item) //BAD
    } catch {
      case e: Exception =>
        System.out.println(e)
    }
  }
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References