Checkmarx HTTP_Response_Splitting

2021-10-07

前言

系統從 QueryString 取得加密過的檔案名稱，透過解密後，
要加入到 Response.Headers 裡時，
被 Checkmarx 掃出有 HTTP_Response_Splitting 的風險。
那怎麼辦呢?

解法

依 Checkmarx 提供的做法如下，

public void foo(HttpRequest Request, HttpResponse Response)
{
        string author = Request.Params["author"];
        
        if (!author.Contains('\n'))
        {
                author = HttpUtility.UrlEncode(author);
                Response.AppendHeader("Author", author);
        }
}

依範例調整如下，

Dim strFileName As String  = Request.QueryString("FileName")
if Not strFileName.Contains(vbCrLf, StringComparison.OrdinalIgnoreCase) Then 
    Response.ClearHeaders()
    Response.Clear()
    Response.Expires = 0
    Response.Buffer = True
    Response.AddHeader("content-disposition", "attachment; filename=" & strFileName)
    Response.ContentType = "application/octet-stream"
    Response.WriteFile(實際檔案路徑)
    Response.Flush()
End If

還是會被掃出 HTTP_Response_Splitting 的風險。
這時，可以再加上 UrlEncode 如下，

Dim strFileName As String  = Request.QueryString("FileName")
if Not strFileName.Contains(vbCrLf, StringComparison.OrdinalIgnoreCase) Then 
    Response.ClearHeaders()
    Response.Clear()
    Response.Expires = 0
    Response.Buffer = True
    Response.AddHeader("content-disposition", "attachment; filename=" & Server.UrlEncode(strFileName)))
    Response.ContentType = "application/octet-stream"
    Response.WriteFile(實際檔案路徑)
    Response.Flush()
End If

jsonContent: meta: false pages: false posts: title: true date: true path: true text: false raw: false content: false slug: false updated: false comments: false link: false permalink: false excerpt: false categories: false tags: true