Skip to content

[NEW MODEL] Undertow XSS: Query parameters to HTTP response#4

Draft
Copilot wants to merge 4 commits intomainfrom
copilot/create-undertow-data-extension
Draft

[NEW MODEL] Undertow XSS: Query parameters to HTTP response#4
Copilot wants to merge 4 commits intomainfrom
copilot/create-undertow-data-extension

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 26, 2026
edited
Loading

📝 Query Information

  • Language: Java
  • Query ID: java/undertow-xss
  • Category: security
  • Severity: error
  • CWE/CVE: CWE-79 (Cross-site Scripting)

🎯 Description

What This Query Detects

XSS vulnerabilities in Undertow applications where untrusted query parameters flow to HTTP response output without sanitization.

Implementation: Data extension (models-as-data) defining:

  • Source: io.undertow.server.HttpServerExchange.getQueryParameters()Map<String, Deque<String>> containing remote user input
  • Sinks: 8 variants of io.undertow.io.Sender.send() → HTML injection points

Example Vulnerable Code

Undertow.builder()
    .setHandler(exchange -> {
        Deque<String> params = exchange.getQueryParameters().get("name");
        String name = params != null ? params.getFirst() : "world";
        // XSS: user input flows directly to response
        exchange.getResponseSender().send("<html><body>Hello " + name + "</body></html>");
    }).build();

Example Safe Code

Undertow.builder()
    .setHandler(exchange -> {
        Deque<String> params = exchange.getQueryParameters().get("name");
        String name = params != null ? params.getFirst() : "world";
        // Safe: sanitized before output
        String sanitized = StringEscapeUtils.escapeHtml4(name);
        exchange.getResponseSender().send("<html><body>Hello " + sanitized + "</body></html>");
    }).build();

🧪 Testing

  • Positive test cases included
  • Negative test cases included
  • Edge cases covered
  • All tests pass

Test Results:

  • 1 remote source detected: getQueryParameters()
  • 1 XSS sink detected: send()
  • 1 vulnerability found: query parameter → HTTP response flow

📋 Checklist

  • Query compiles without errors
  • Documentation complete (.md and .qhelp)
  • Metadata properly set (@name, @id, @kind, etc.)
  • Tests validate query behavior
  • No false positives in test cases

🔗 References

Note: This query was developed using Test-Driven Development methodology.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Query Create]: Undertow</issue_title>
<issue_description>### Target Language

java

Data Extension Name (Optional)

undertow.model.yml

Data Extension Type

sourceModel, sinkModel

Data Extension Description

Undertow is an HTTP library for java

Code Examples

/*
 * This Java source file was generated by the Gradle 'init' task.
 */
package org.example;

import io.undertow.Undertow;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.Headers;
import java.util.Deque;
import javax.crypto.Cipher;

public class App {
    public String getGreeting() {
        return "Hello World!";
    }

    public static void main(String[] args) {
        System.out.println(new App().getGreeting());
        try {
            Runtime.getRuntime().exec("ls");
            Cipher rsanopad = Cipher.getInstance("RSA/ECB/NoPadding");
        } catch (Exception e) {
            System.out.println(e.getMessage());
        }

        Undertow server = Undertow.builder()
                .addHttpListener(8080, "localhost")
                .setHandler(new HttpHandler() {
                    @Override
                    public void handleRequest(final HttpServerExchange exchange) throws Exception {
                        String name = "world";
                        Deque<String> res = exchange.getQueryParameters().get("namex"); //source
                        if (res != null) {
                            name = res.getFirst();
                        }
                        exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "text/html");
                        exchange.getResponseSender().send("<html><body>Hello " + name + "</body<</html>"); // sink: XSS
                    }
                }).build();
        server.start();
    }
}

References (Optional)

https://github.com/undertow-io/undertow

Code of Conduct

  • I agree to follow this project's Code of Conduct</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits January 26, 2026 23:37
@felickz
Add Undertow data extension and test files
4455e12 
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
@felickz
Final: Undertow data extension complete with passing tests
d877bc3 
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
@felickz
Fix: Update Undertow test dependency to 2.3.21.Final to address secur…
e0aebb4 
…ity vulnerabilities

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
Copilot AI changed the title [WIP] Create Undertow HTTP library data extension [NEW QUERY] Undertow XSS: Query parameters to HTTP response Jan 27, 2026
Copilot AI requested a review from felickz January 27, 2026 00:21
@felickz felickz changed the title [NEW QUERY] Undertow XSS: Query parameters to HTTP response [NEW MODEL] Undertow XSS: Query parameters to HTTP response Feb 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felickz felickz Awaiting requested review from felickz

Assignees

@felickz felickz

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Extension Create]: Undertow

2 participants

@felickz