hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4771 from intrigus-lgtm/split-cwe-295

Browse Source 
Java: Add unsafe hostname verification query and remove existing overlapping query
This commit is contained in:
Anders Schack-Mulligen
2021-01-13 11:31:38 +01:00
committed by GitHub
parent 1c8547c897 2931e1f3fb
commit 29935e1388
14 changed files with 403 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrust.expected
View File

@@ -1,7 +1,5 @@
| UnsafeCertTrustTest.java:27:4:27:74 | init(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:42:4:42:38 | init(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:55:3:60:4 | setDefaultHostnameVerifier(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:73:3:73:57 | setDefaultHostnameVerifier(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:124:25:124:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:135:25:135:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:144:34:144:83 | createSocket(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:92:25:92:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:103:25:103:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
| UnsafeCertTrustTest.java:112:34:112:83 | createSocket(...) | Unsafe configuration of trusted certificates |

32
java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
View File

@@ -48,31 +48,6 @@ public class UnsafeCertTrustTest {
}
}
/**
* Test the implementation of trusting all hostnames as an anonymous class
*/
public void testTrustAllHostnameOfAnonymousClass() {
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true; // Noncompliant
}
});
}
/**
* Test the implementation of trusting all hostnames as a variable
*/
public void testTrustAllHostnameOfVariable() {
HostnameVerifier verifier = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true; // Noncompliant
}
};
HttpsURLConnection.setDefaultHostnameVerifier(verifier);
}
private static final X509TrustManager TRUST_ALL_CERTIFICATES = new X509TrustManager() {
@Override
public void checkClientTrusted(final X509Certificate[] chain, final String authType)
@@ -109,13 +84,6 @@ public class UnsafeCertTrustTest {
}
};
public static final HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true; // Noncompliant
}
};
/**
* Test the endpoint identification of SSL engine is set to null
*/