From 05ebb2344265b8c1a039fa98e873b962ff39a7f5 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Wed, 4 Feb 2026 16:38:45 -0500
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 2: HTTP
 response splitting

Fix response splitting in: Benchmark00087.java

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../owasp/benchmark/testcode/Benchmark00087.java  | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00087.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00087.java
index ca188b0..0554119 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00087.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00087.java
@@ -29,6 +29,18 @@ public class Benchmark00087 extends HttpServlet {
 
     private static final long serialVersionUID = 1L;
 
+    /**
+     * Sanitize a value for safe use as a cookie value by removing CR, LF and
+     * other non-printable control characters that could enable header splitting.
+     */
+    private static String sanitizeForCookie(String value) {
+        if (value == null) {
+            return null;
+        }
+        // Remove CR, LF and other control characters (0x00-0x1F and 0x7F)
+        return value.replaceAll("[\\x00-\\x1F\\x7F]", "");
+    }
+
     @Override
     public void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
@@ -86,7 +98,8 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
             str = new String(input, 0, i);
         }
         if ("".equals(str)) str = "No cookie value supplied";
-        javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie("SomeCookie", str);
+        String safeStr = sanitizeForCookie(str);
+        javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie("SomeCookie", safeStr);
 
         cookie.setSecure(false);
         cookie.setHttpOnly(true);

From 3a30eddbcf4312572eca487c19db3d6f41e9afc8 Mon Sep 17 00:00:00 2001
From: Dave Wichers <dwichers@gmail.com>
Date: Wed, 4 Feb 2026 21:46:29 +0000
Subject: [PATCH 2/2] Fix formatting.

---
 .../java/org/owasp/benchmark/testcode/Benchmark00087.java     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/owasp/benchmark/testcode/Benchmark00087.java b/src/main/java/org/owasp/benchmark/testcode/Benchmark00087.java
index 0554119..50f5944 100644
--- a/src/main/java/org/owasp/benchmark/testcode/Benchmark00087.java
+++ b/src/main/java/org/owasp/benchmark/testcode/Benchmark00087.java
@@ -30,8 +30,8 @@ public class Benchmark00087 extends HttpServlet {
     private static final long serialVersionUID = 1L;
 
     /**
-     * Sanitize a value for safe use as a cookie value by removing CR, LF and
-     * other non-printable control characters that could enable header splitting.
+     * Sanitize a value for safe use as a cookie value by removing CR, LF and other non-printable
+     * control characters that could enable header splitting.
      */
     private static String sanitizeForCookie(String value) {
         if (value == null) {