Skip to content

Java: Insecure LDAP authentication #4854

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aschackmull merged 9 commits into from
Feb 4, 2021
Merged

Java: Insecure LDAP authentication #4854

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
4ec78d0
Insecure LDAP authentication
luchua-bc Dec 21, 2020
c069a5b
Factor private host regex into the networking library and enhance the…
luchua-bc Jan 4, 2021
babe744
Add SECURITY_PROTOCOL check
luchua-bc Jan 13, 2021
e5a703e
Revamp the query
luchua-bc Jan 15, 2021
32c5462
Drop fieldName from the function for runtime evaluation
luchua-bc Jan 15, 2021
6a93099
Simplify the query and update qldoc
luchua-bc Jan 28, 2021
3151aef
Enhance the query
luchua-bc Feb 2, 2021
2ace10f
Use PostUpdateNode for wrapper method calls
luchua-bc Feb 3, 2021
724c3e0
Update help file
luchua-bc Feb 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add SECURITY_PROTOCOL check
  • Loading branch information
@luchua-bc
luchua-bc committed Jan 13, 2021
commit babe744a3011a4f7e2216ff5bd95bed241dd4984
30 changes: 24 additions & 6 deletions java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,22 +89,36 @@ predicate isProviderUrlSetter(MethodAccess ma) {
}

/**
* Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
* Holds if `ma` sets `fieldValue` with attribute name `fieldName` to `envValue` in some `Hashtable`.
*/
Comment thread
luchua-bc marked this conversation as resolved.
predicate isSimpleAuthEnv(MethodAccess ma) {
bindingset[fieldName, fieldValue, envValue]
predicate hasEnvWithValue(MethodAccess ma, string fieldName, string fieldValue, string envValue) {
ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
(ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
Comment thread
luchua-bc marked this conversation as resolved.
Outdated
(
ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() =
"java.naming.security.authentication"
ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = fieldValue
or
exists(Field f |
ma.getArgument(0) = f.getAnAccess() and
f.hasName("SECURITY_AUTHENTICATION") and
f.hasName(fieldName) and
f.getDeclaringType() instanceof TypeNamingContext
)
) and
ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = "simple"
ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = envValue
}

/**
* Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
*/
predicate isSimpleAuthEnv(MethodAccess ma) {
hasEnvWithValue(ma, "SECURITY_AUTHENTICATION", "java.naming.security.authentication", "simple")
}

/**
* Holds if `ma` sets `java.naming.security.protocol` (also known as `Context.SECURITY_PROTOCOL`) to `ssl` in some `Hashtable`.
*/
predicate isSSLEnv(MethodAccess ma) {
hasEnvWithValue(ma, "SECURITY_PROTOCOL", "java.naming.security.protocol", "ssl")
}

/**
Expand All @@ -124,6 +138,10 @@ class LdapAuthFlowConfig extends TaintTracking::Configuration {
exists(MethodAccess sma |
sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
isSimpleAuthEnv(sma)
) and
not exists(MethodAccess sma |
sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
isSSLEnv(sma)
)
)
}
Expand Down
14 changes: 7 additions & 7 deletions java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
edges
| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl |
| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl |
| InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:47:100:53 | ldapUrl |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl |
| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl |
nodes
| InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:15:41:15:47 | ldapUrl | semmle.label | ldapUrl |
| InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
| InsecureLdapAuth.java:29:41:29:47 | ldapUrl | semmle.label | ldapUrl |
| InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:85:41:85:47 | ldapUrl | semmle.label | ldapUrl |
| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:100:47:100:53 | ldapUrl | semmle.label | ldapUrl |
| InsecureLdapAuth.java:100:41:100:47 | ldapUrl | semmle.label | ldapUrl |
| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
| InsecureLdapAuth.java:115:47:115:53 | ldapUrl | semmle.label | ldapUrl |
#select
| InsecureLdapAuth.java:15:41:15:47 | ldapUrl | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
| InsecureLdapAuth.java:29:41:29:47 | ldapUrl | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string |
| InsecureLdapAuth.java:85:41:85:47 | ldapUrl | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
| InsecureLdapAuth.java:100:47:100:53 | ldapUrl | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:47:100:53 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
| InsecureLdapAuth.java:100:41:100:47 | ldapUrl | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
| InsecureLdapAuth.java:115:47:115:53 | ldapUrl | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
15 changes: 15 additions & 0 deletions java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,21 @@ public void testSslLdapAuth(String ldapUserName, String password) {
DirContext dirContext = new InitialDirContext(environment);
}

// GOOD - Test LDAP authentication over SSL.
public void testSslLdapAuth2(String ldapUserName, String password) {
String ldapUrl = "ldap://ad.your-server.com:636";
Hashtable<String, String> environment = new Hashtable<String, String>();
environment.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
environment.put(Context.PROVIDER_URL, ldapUrl);
environment.put(Context.REFERRAL, "follow");
environment.put(Context.SECURITY_AUTHENTICATION, "simple");
environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
environment.put(Context.SECURITY_CREDENTIALS, password);
environment.put(Context.SECURITY_PROTOCOL, "ssl");
DirContext dirContext = new InitialDirContext(environment);
}

// GOOD - Test LDAP authentication with SASL authentication.
public void testSaslLdapAuth(String ldapUserName, String password) {
String ldapUrl = "ldap://ad.your-server.com:389";
Expand Down