Skip to content

Java: Add unsafe hostname verification query and remove existing overlapping query #4771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aschackmull merged 25 commits into from
Jan 13, 2021
Merged

Java: Add unsafe hostname verification query and remove existing overlapping query #4771

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
8df5d77
Java: Model `HostnameVerifier` method
intrigus Dec 4, 2020
3da1cb0
Java: Add unsafe hostname verification query
intrigus Dec 4, 2020
70b0703
Java: Remove overlapping code
intrigus Dec 4, 2020
0a9df07
Apply suggestions from review.
intrigus Dec 9, 2020
e021158
Java: Tighter model of `HostnameVerifier#verify`
intrigus Dec 9, 2020
d98b171
Java: Make `EnvTaintedMethod` public + QL-Doc
intrigus Dec 9, 2020
a62a2e5
Java: Improve QL-Doc
intrigus Dec 9, 2020
9e2ef9b
Java: Filter results by feature flags.
intrigus Dec 9, 2020
33b0ff2
Java: Update test
intrigus Dec 9, 2020
c88f07d
Java: Accept test output
intrigus Dec 9, 2020
10fc2cf
Apply suggestions from code review
intrigus-lgtm Dec 14, 2020
355cb6e
Fix Qhelp format
intrigus-lgtm Dec 16, 2020
502e4c3
Java: Fix Qhelp
intrigus Dec 17, 2020
b8f3e64
Apply suggestions from code review
intrigus-lgtm Jan 4, 2021
e11304a
Java: Autoformat
intrigus Jan 5, 2021
f4b912c
Apply suggestions from doc review
intrigus-lgtm Jan 9, 2021
b469273
Java: Add QLDoc improve query message
intrigus Jan 7, 2021
1eb2b75
Java: Further reduce FPs, simply Flag2Guard flow
intrigus Jan 10, 2021
5c1e746
Java: Rename to `EnvReadMethod`
intrigus Jan 11, 2021
4cfdb10
Java: Improve QLDoc & simplify code
intrigus-lgtm Jan 11, 2021
722bd4d
Java: Revise qhelp
intrigus-lgtm Jan 11, 2021
85286f3
Java: Replace global flow by local flow
intrigus Jan 11, 2021
4fa8f5e
Java: Accept test changes
intrigus Jan 12, 2021
1901f6b
Java: Make @id @name of query more similar.
intrigus Jan 12, 2021
2931e1f
Java: Add change note for #4771
intrigus Jan 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Java: Remove overlapping code
  • Loading branch information
@intrigus
intrigus committed Jan 11, 2021
commit 70b0703952ef4c364990a4a183348ab44e901944
26 changes: 0 additions & 26 deletions java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,4 @@
public static void main(String[] args) {
{
HostnameVerifier verifier = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
try { //GOOD: verify the certificate
Certificate[] certs = session.getPeerCertificates();
X509Certificate x509 = (X509Certificate) certs[0];
check(new String[]{host}, x509);
return true;
} catch (SSLException e) {
return false;
}
}
};
HttpsURLConnection.setDefaultHostnameVerifier(verifier);
}

{
HostnameVerifier verifier = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true; // BAD: accept even if the hostname doesn't match
}
};
HttpsURLConnection.setDefaultHostnameVerifier(verifier);
}

{
X509TrustManager trustAllCertManager = new X509TrustManager() {
Expand Down
8 changes: 4 additions & 4 deletions java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,18 @@
<qhelp>

<overview>
<p>Java offers two mechanisms for SSL authentication - trust manager and hostname verifier. Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.</p>
<p>Java offers two mechanisms for SSL authentication - trust manager and hostname verifier (not checked by this query). Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.</p>
Comment thread
intrigus-lgtm marked this conversation as resolved.
Outdated
<p>And when SSLSocket or SSLEngine is created without a valid parameter of setEndpointIdentificationAlgorithm, hostname verification is disabled by default.</p>
<p>Unsafe implementation of the interface X509TrustManager, HostnameVerifier, and SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.</p>
<p>This query checks whether trust manager is set to trust all certificates, the hostname verifier is turned off, or setEndpointIdentificationAlgorithm is missing. The query also covers a special implementation com.rabbitmq.client.ConnectionFactory.</p>
<p>Unsafe implementation of the interface X509TrustManager and SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.</p>
<p>This query checks whether trust manager is set to trust all certificates or setEndpointIdentificationAlgorithm is missing. The query also covers a special implementation com.rabbitmq.client.ConnectionFactory.</p>
</overview>

<recommendation>
<p>Validate SSL certificate in SSL authentication.</p>
</recommendation>

<example>
<p>The following two examples show two ways of configuring X509 trust cert manager and hostname verifier. In the 'BAD' case,
<p>The following two examples show two ways of configuring X509 trust cert manager. In the 'BAD' case,
no validation is performed thus any certificate is trusted. In the 'GOOD' case, the proper validation is performed.</p>
<sample src="UnsafeCertTrust.java" />
</example>
Expand Down
41 changes: 2 additions & 39 deletions java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/**
* @name Unsafe certificate trust and improper hostname verification
* @description Unsafe implementation of the interface X509TrustManager, HostnameVerifier, and SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.
* @name Unsafe certificate trust
* @description Unsafe implementation of the interface X509TrustManager and SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.
* @kind problem
* @id java/unsafe-cert-trust
* @tags security
Expand Down Expand Up @@ -53,42 +53,6 @@ class X509TrustAllManagerInit extends MethodAccess {
}
}

/**
* HostnameVerifier class that allows a certificate whose CN (Common Name) does not match the host name in the URL
*/
class TrustAllHostnameVerifier extends RefType {
TrustAllHostnameVerifier() {
this.getASupertype*() instanceof HostnameVerifier and
exists(Method m, ReturnStmt rt |
m.getDeclaringType() = this and
m.hasName("verify") and
rt.getEnclosingCallable() = m and
rt.getResult().(BooleanLiteral).getBooleanValue() = true
)
}
}

/**
* The setDefaultHostnameVerifier method of HttpsURLConnection with the trust all configuration
*/
class TrustAllHostnameVerify extends MethodAccess {
TrustAllHostnameVerify() {
this.getMethod().hasName("setDefaultHostnameVerifier") and
this.getMethod().getDeclaringType() instanceof HttpsURLConnection and //httpsURLConnection.setDefaultHostnameVerifier method
(
exists(NestedClass nc |
nc.getASupertype*() instanceof TrustAllHostnameVerifier and
this.getArgument(0).getType() = nc //Scenario of HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {...});
)
or
exists(Variable v |
this.getArgument(0).(VarAccess).getVariable() = v and
v.getInitializer().getType() instanceof TrustAllHostnameVerifier //Scenario of HttpsURLConnection.setDefaultHostnameVerifier(verifier);
)
)
}
}

class SSLEngine extends RefType {
SSLEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") }
}
Expand Down Expand Up @@ -239,7 +203,6 @@ class RabbitMQEnableHostnameVerificationNotSet extends MethodAccess {

from MethodAccess aa
where
aa instanceof TrustAllHostnameVerify or
aa instanceof X509TrustAllManagerInit or
aa instanceof SSLEndpointIdentificationNotSet or
aa instanceof RabbitMQEnableHostnameVerificationNotSet
Expand Down
32 changes: 0 additions & 32 deletions java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,31 +48,6 @@ public SSLSocketFactory testTrustAllCertManagerOfVariable() {
}
}

/**
* Test the implementation of trusting all hostnames as an anonymous class
*/
public void testTrustAllHostnameOfAnonymousClass() {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true; // Noncompliant
}
});
}

/**
* Test the implementation of trusting all hostnames as a variable
*/
public void testTrustAllHostnameOfVariable() {
HostnameVerifier verifier = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true; // Noncompliant
}
};
HttpsURLConnection.setDefaultHostnameVerifier(verifier);
}

private static final X509TrustManager TRUST_ALL_CERTIFICATES = new X509TrustManager() {
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType)
Expand Down Expand Up @@ -109,13 +84,6 @@ public X509Certificate[] getAcceptedIssuers() {
}
};

public static final HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true; // Noncompliant
}
};

/**
* Test the endpoint identification of SSL engine is set to null
*/
Expand Down