[Java] CWE-348: Using a client-supplied IP address in a security check#5631
Conversation
| @Target({ElementType.TYPE}) | ||
| @Retention(RetentionPolicy.RUNTIME) | ||
| @Documented | ||
| @Component |
There was a problem hiding this comment.
| /** A data flow sink of method return or log output or local print. */ | ||
| class UseOfLessTrustedSink extends DataFlow::Node { | ||
| UseOfLessTrustedSink() { | ||
| exists(ReturnStmt rs | rs.getResult() = this.asExpr()) |
There was a problem hiding this comment.
If we're treating returning as a sink we might as well flag any use of X-Forwarded-For except splitting and taking the rightmost value.
There was a problem hiding this comment.
The result of return as a sink, I think the method is a util method, this usage is common.
There was a problem hiding this comment.
Right, but you don't care about what is done with it subsequently? This is so general that there's almost no point checking how it is used at all.
There was a problem hiding this comment.
If so, I think there is a problem as long as there is a place to call this method. If you consider what to do with the result of the client ip method, I think there will be a false negative rate. What do you think?
There was a problem hiding this comment.
What uses do you actually consider dangerous, besides logging?
There was a problem hiding this comment.
In addition to local output or log records, there are also user authentication based on client ip, database storage, etc., but their use is not unique, so I think it is impossible to standardize the definition.
There was a problem hiding this comment.
Can we let the security-lab review it together?
There was a problem hiding this comment.
E.g:
- The client ip detects whether there is login permission: UserServiceImpl
- Limit the number of logins for the client ip, which is common in scenarios such as blasting and ticketing: CaptchaService
- Insert the database as a record: LogDB
- Save it in
JavaBeanand insert into the database: MenuController
There was a problem hiding this comment.
I can, but as this stands I would have to warn them that the query will produce really strange results:
- Directly used in logging call: positive
- Directly used in a rate-limiter: negative
- Directly returned: positive
- Returned in a field: negative
A user of this query would be very confused, because their expectation is that the way the value is used is the important thing, not trivial aspects of dataflow like is it returned from a function or used in function-local scope.
I would recommend you find some e.g. rate-limiting utility that would constitute a dangerous way to use this identifier. Alternatively you can choose to send this to the security lab with the health warning attached.
There was a problem hiding this comment.
Thank you, I agree to let them know the current situation, and I also want to listen to their suggestions, so as to implement a changed query.
| .getASupertype*() | ||
| .hasQualifiedName("javax.servlet", "ServletRequest") and | ||
| this.getArgument(0).toString().toLowerCase() in [ | ||
| "\"wl-proxy-client-ip\"", "\"proxy-client-ip\"", "\"http_client_ip\"", |
There was a problem hiding this comment.
Perhaps provide a link regarding how you chose this list of header values?
There was a problem hiding this comment.
Reference:
| } | ||
|
|
||
| /** The first one in the method to get the ip value through `x-forwarded-for`. */ | ||
| predicate xffIsFirstGet(Node node) { |
There was a problem hiding this comment.
Explain what you're intending to do here? Should this suppress some warnings completely, or just prevent repeated warnings in the same function?
There was a problem hiding this comment.
Ensure that x-forwarded-for is the first to be obtained in the method of obtaining client ip.
| .hasQualifiedName("javax.servlet", "ServletRequest") and | ||
| this.getArgument(0).toString().toLowerCase() in [ | ||
| "\"wl-proxy-client-ip\"", "\"proxy-client-ip\"", "\"http_client_ip\"", | ||
| "\"http_x_forwarded_for\"", "\"x-real-ip\"" |
There was a problem hiding this comment.
Explain why you're using these headers for xffIsFirstGet but only X-Forwarded-For in the main query?
There was a problem hiding this comment.
This is related to the xffIsFirstGet predicate.
There was a problem hiding this comment.
Right, but why are you checking for all these possibilities here, but only X-Forwarded-For in UseOfLessTrustedSource? What is special about that header that means you trust it less than X-Real-IP for instance?
There was a problem hiding this comment.
Yes, and X-Forwarded-For has a high usage rate.
There was a problem hiding this comment.
Why are you only considering X-Forwarded-For a source of error? Isn't X-Real-IP exactly the same? I don't understand why you consider all 5 for the purposes of finding out if this is the first check in this function, but only one for the source.
There was a problem hiding this comment.
X-Forwarded-For is a superposition process when used, format: client, proxy1, proxy2. X-Real-IP is a process of coverage when in use.
There was a problem hiding this comment.
Right, which is why you suppose that taking the right-most comma-separated piece of X-Forwarded-For might be safer than the left-most. If X-Real-IP doesn't get used that way then it's simply always dangerous to trust, right? But at the moment we treat it as always safe?
There was a problem hiding this comment.
Thank you for reviewing my pr.
You are right. But I still find it weird, regarding the questions here and above, I would like to hear the opinions of security-lab. Hope you can understand.
…SourceLib.qll Co-authored-by: Chris Smowton <smowton@github.com>
…Source.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
…Source.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
| exists(ArrayAccess aa, MethodAccess ma | aa.getArray() = ma | | ||
| ma.getQualifier() = node.asExpr() and | ||
| ma.getMethod() instanceof SplitMethod and | ||
| not aa.getIndexExpr().toString() = "0" |
There was a problem hiding this comment.
| not aa.getIndexExpr().toString() = "0" | |
| not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0 |
|
After discussing with colleages, I have decided I will reject this PR unless you can replace the highly-general |
I will try to find the accurate sink from github. In addition, I want to know if the source needs to be changed here? |
|
I would strongly advise to use the same list of headers that specify a remote endpoint identifier (X-Forwarded-For, X-Real-IP, ...) as you used elsewhere in this PR. X-Forwarded-For only differs in that it is sometimes possible to comma-split it and so retrieve a safe(r) version of it. |
Thank you for your suggestion, I will reflect it in the next version. |
|
There are several changes in this revision:
lgtm result for reference. |
| * `if (remoteAddr == null || "".equals(remoteAddr)) {...` judging whether the client ip is a null value, | ||
| * it needs to be excluded | ||
| */ | ||
| private class IfConditionSink extends UseOfLessTrustedSink { |
There was a problem hiding this comment.
This is still a very very broad sink. I would much rather we looked for specific patterns we think are dangerous (for example, the startsWith condition you describe in the comment than to just exclude 7 or 8 cases you think are probably FPs and flag every other if statement.
If we look positively for suspicious usage, we can also avoid insisting the expression occurs directly with an if statement -- instead the sink is simply any startsWith(...) call, or an .equals with a non-blank right-hand side, or similar.
…SourceLib.qll Co-authored-by: Chris Smowton <smowton@github.com>
…Source.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
…Source.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
…Source.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
…Source.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
The |
|
My recommendation for improving the query is to restrict it so that it only flags cases like this one: In other words, only flag if-conditions that contain a hard-coded IP address: "192.168.0", "127.0.0", etc. Those are the places where an attacker has a higher chance of an authentication bypass by sending a spoofed IP address in the X-Forwarded-For field. |
This will have a false negative. @smowton What is your suggestion on this? |
|
That looks pretty precise. Implement it and let's test it? |
|
ok |
Please review. |
|
Made an all-projects run of this for the security lab to look at |
|
Thanks. The results are looking much better now. There is just one false positive pattern that seems to come up a lot: Examples:
So it might be worth adding special case for that pattern, but otherwise I am happy with this now. |
I made a modification to this false positive, please review the lgtm result. https://lgtm.com/query/2916758049910443110/ |
smowton
left a comment
There was a problem hiding this comment.
Rename "UseOfLessTrustedSource" -> "ClientSuppliedIpUsedInSecurityCheck" everywhere, including filenames and class names.
| ma.getAnArgument() | ||
| .(CompileTimeConstantExpr) | ||
| .getStringValue() | ||
| .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$") |
There was a problem hiding this comment.
Factor the regex out into something like
string getIpAddressRegex() { result = ... }
…Source.qhelp Co-authored-by: Chris Smowton <smowton@github.com>
…SourceLib.qll Co-authored-by: Chris Smowton <smowton@github.com>
…Source.java Co-authored-by: Chris Smowton <smowton@github.com>
|
@smowton @kevinbackhouse thanks. |
If an application trusts an HTTP request header like X-Forwarded-For to accurately specify the remote IP address of the connecting client.