Skip to content

Java: Add unsafe hostname verification query and remove existing overlapping query #4771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aschackmull merged 25 commits into from
Jan 13, 2021
Merged

Java: Add unsafe hostname verification query and remove existing overlapping query #4771

Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
8df5d77
Java: Model `HostnameVerifier` method
intrigus Dec 4, 2020
3da1cb0
Java: Add unsafe hostname verification query
intrigus Dec 4, 2020
70b0703
Java: Remove overlapping code
intrigus Dec 4, 2020
0a9df07
Apply suggestions from review.
intrigus Dec 9, 2020
e021158
Java: Tighter model of `HostnameVerifier#verify`
intrigus Dec 9, 2020
d98b171
Java: Make `EnvTaintedMethod` public + QL-Doc
intrigus Dec 9, 2020
a62a2e5
Java: Improve QL-Doc
intrigus Dec 9, 2020
9e2ef9b
Java: Filter results by feature flags.
intrigus Dec 9, 2020
33b0ff2
Java: Update test
intrigus Dec 9, 2020
c88f07d
Java: Accept test output
intrigus Dec 9, 2020
10fc2cf
Apply suggestions from code review
intrigus-lgtm Dec 14, 2020
355cb6e
Fix Qhelp format
intrigus-lgtm Dec 16, 2020
502e4c3
Java: Fix Qhelp
intrigus Dec 17, 2020
b8f3e64
Apply suggestions from code review
intrigus-lgtm Jan 4, 2021
e11304a
Java: Autoformat
intrigus Jan 5, 2021
f4b912c
Apply suggestions from doc review
intrigus-lgtm Jan 9, 2021
b469273
Java: Add QLDoc improve query message
intrigus Jan 7, 2021
1eb2b75
Java: Further reduce FPs, simply Flag2Guard flow
intrigus Jan 10, 2021
5c1e746
Java: Rename to `EnvReadMethod`
intrigus Jan 11, 2021
4cfdb10
Java: Improve QLDoc & simplify code
intrigus-lgtm Jan 11, 2021
722bd4d
Java: Revise qhelp
intrigus-lgtm Jan 11, 2021
85286f3
Java: Replace global flow by local flow
intrigus Jan 11, 2021
4fa8f5e
Java: Accept test changes
intrigus Jan 12, 2021
1901f6b
Java: Make @id @name of query more similar.
intrigus Jan 12, 2021
2931e1f
Java: Add change note for #4771
intrigus Jan 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Java: Update test
  • Loading branch information
@intrigus
intrigus committed Jan 11, 2021
commit 33b0ff28d83ac84685d42717b8fec9ed4810e729
21 changes: 18 additions & 3 deletions java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import javax.net.ssl.HostnameVerifier;
Comment thread
intrigus-lgtm marked this conversation as resolved.
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
import java.security.cert.Certificate;

public class UnsafeHostnameVerification {

Expand Down Expand Up @@ -55,12 +56,26 @@ private void functionThatActuallyDisablesVerification() {
public void testTrustAllHostnameDependingOnDerivedValue() {
String enabled = System.getProperty("disableHostnameVerification");
if (Boolean.parseBoolean(enabled)) {
HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true); // GOOD [but detected as BAD].
// This is GOOD, because it depends on a feature
// flag, but this is not detected by the query.
HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true); // GOOD, because it depends on a feature
// flag.
}
}

public void testTrustAllHostnameWithExceptions() {
HostnameVerifier verifier = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
verify(hostname, session.getPeerCertificates());
return true; // GOOD [but detected as BAD]. The verification of the certificate is done in another method and
Copy link
Copy Markdown
Contributor Author

@intrigus-lgtm intrigus-lgtm Dec 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This kind of scenario is rather rare, of ~100 Alerts I've only seen this pattern once.

// in the case of a mismatch, an `Exception` is thrown so the `return true` statement never gets executed.
}

// Black-box method that properly verifies the certificate but throws an `Exception` in the case of a mismatch.
private void verify(String hostname, Certificate[] certs){}
};
HttpsURLConnection.setDefaultHostnameVerifier(verifier);
}

/**
* Test the implementation of trusting all hostnames as a variable
*/
Expand Down