Added a query for ignored hostname verification

- Added IgnoredHostnameVerification.ql - Added a qhelp file with examples - Added tests
2026-05-04 21:25:44 +02:00 · 2021-08-08 11:10:44 +02:00
parent f78002bc02
commit 2b33265d0f
2 changed files with 40 additions and 15 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java
@@ -1,6 +1,7 @@
 import java.io.IOException;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;

@@ -89,4 +90,19 @@ public class IgnoredHostnameVerification {
    throw new SSLException("Oops! Hostname verification failed!");
  }

-}
+  public static class HostnameVerifierWrapper implements HostnameVerifier {
+
+    private final HostnameVerifier verifier;
+
+    public HostnameVerifierWrapper(HostnameVerifier verifier) {
+        this.verifier = verifier;
+    }
+
+    @Override
+    public boolean verify(String hostname, SSLSession session) {
+        return verifier.verify(hostname, session); // GOOD: wrapped calls should not be reported
+    }
+
+  }
+
+}