LGTM.com - false positive - Java - Netty Response Splitting

**Description of the false positive**

When the `DefaultFullHttpResponse` is used in a limited scope where it's provable that no headers are added from sources other than static locations, this is a safe place where verification is safe to disable.

Since this query already gets so few hits, I think that it's safe to continue to flag all other cases, even when QL can't prove that user supplied data flows to netty because many libraries are simply wrappers for netty so wouldn't directly show data flow from user supplied data.

**URL to the alert on the project page on LGTM.com**

 - https://lgtm.com/projects/g/eclipse-vertx/vert.x/snapshot/229594b9c483132e6efa5c24f66f826a990b53de/files/src/main/java/io/vertx/core/http/impl/Http1xUpgradeToH2CHandler.java?sort=name&dir=ASC&mode=heatmap#L83
 - https://lgtm.com/projects/g/eclipse-vertx/vert.x/snapshot/229594b9c483132e6efa5c24f66f826a990b53de/files/src/main/java/io/vertx/core/http/impl/Http1xUpgradeToH2CHandler.java?sort=name&dir=ASC&mode=heatmap#L113

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

LGTM.com - false positive - Java - Netty Response Splitting #2908

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

LGTM.com - false positive - Java - Netty Response Splitting #2908

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions