hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-authored-by: Chris Smowton <smowton@github.com>
This commit is contained in:
intrigus-lgtm
2020-12-14 15:51:53 +01:00
committed by intrigus
parent c88f07dde4
commit 10fc2cf9f8
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.qhelp
View File

@@ -15,14 +15,14 @@ An attack would look like this:
5. Java wants to reject the certificate because the hostname does not match. Before doing this it checks whether there exists a <code>HostnameVerifier</code>.
6. Your <code>HostnameVerifier</code> is called which returns <code>true</code> for any certificate so also for this one.
7. Java proceeds with the connection since your <code>HostnameVerifier</code> accepted it.
8. The attacker can now read the data (Man-in-the-middle) your program sends to <code>https://example.com</code> while the program thinks the connection is secure.
8. The attacker can now read the data your program sends to <code>https://example.com</code> and/or alter its replies while the program thinks the connection is secure.
</p>
</overview>
<recommendation>
<p>
Do NOT use an unverifying <code>HostnameVerifier</code>!
<li>If you use an unverifying verifier to solve a configuration problem with TLS/HTTPS you should solve the configuration problem instead.
Do not use an open <code>HostnameVerifier</code>.
<li>If you use an open verifier to solve a configuration problem with TLS/HTTPS you should solve the configuration problem instead.
</li>
</p>
@@ -42,4 +42,4 @@ In the second (good) example, the <code>HostnameVerifier</code> only returns <co
<li><a href="https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/">Further Information on Hostname Verification</a>.</li>
<li>OWASP: <a href="https://cwe.mitre.org/data/definitions/297.html">CWE-297</a>.</li>
</references>
</qhelp>
</qhelp>

4
java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Disabled hostname verification
* @description Accepting any certificate as valid for a host allows an attacker to perform a man-in-the-middle attack.
* @description Accepting any certificate as valid for a host allows an attacker to perform a machine-in-the-middle attack.
* @kind path-problem
* @problem.severity error
* @precision high
@@ -29,7 +29,7 @@ private predicate alwaysReturnsTrue(HostnameVerifierVerify m) {
}
/**
* A class that overrides the `javax.net.ssl.HostnameVerifier.verify` method and **always** returns `true` (ignoring exceptional flow), thus
* A class that overrides the `javax.net.ssl.HostnameVerifier.verify` method and **always** returns `true` (though it could also exit due to an uncaught exception), thus
* accepting any certificate despite a hostname mismatch.
*/
class TrustAllHostnameVerifier extends RefType {