Java: Add unsafe hostname verification query

java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.expected

@@ -0,0 +1,18 @@
+edges
+| UnsafeHostnameVerification.java:68:31:73:3 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:74:49:74:56 | verifier |
+| UnsafeHostnameVerification.java:77:69:82:2 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:33:50:33:76 | ALLOW_ALL_HOSTNAME_VERIFIER |
+nodes
+| UnsafeHostnameVerification.java:13:49:18:3 | new (...) | semmle.label | new (...) |
+| UnsafeHostnameVerification.java:25:49:25:65 | ...->... | semmle.label | ...->... |
+| UnsafeHostnameVerification.java:33:50:33:76 | ALLOW_ALL_HOSTNAME_VERIFIER | semmle.label | ALLOW_ALL_HOSTNAME_VERIFIER |
+| UnsafeHostnameVerification.java:46:49:46:65 | ...->... | semmle.label | ...->... |
+| UnsafeHostnameVerification.java:58:50:58:76 | ...->... | semmle.label | ...->... |
+| UnsafeHostnameVerification.java:68:31:73:3 | new (...) : new HostnameVerifier(...) { ... } | semmle.label | new (...) : new HostnameVerifier(...) { ... } |
+| UnsafeHostnameVerification.java:74:49:74:56 | verifier | semmle.label | verifier |
+| UnsafeHostnameVerification.java:77:69:82:2 | new (...) : new HostnameVerifier(...) { ... } | semmle.label | new (...) : new HostnameVerifier(...) { ... } |
+#select
+| UnsafeHostnameVerification.java:13:49:18:3 | new (...) | UnsafeHostnameVerification.java:13:49:18:3 | new (...) | UnsafeHostnameVerification.java:13:49:18:3 | new (...) | $@ that accepts any certificate as valid, is used here. | UnsafeHostnameVerification.java:13:49:18:3 | new (...) | This hostname verifier |
+| UnsafeHostnameVerification.java:25:49:25:65 | ...->... | UnsafeHostnameVerification.java:25:49:25:65 | ...->... | UnsafeHostnameVerification.java:25:49:25:65 | ...->... | $@ that accepts any certificate as valid, is used here. | UnsafeHostnameVerification.java:25:49:25:65 | ...->... | This hostname verifier |
+| UnsafeHostnameVerification.java:46:49:46:65 | ...->... | UnsafeHostnameVerification.java:46:49:46:65 | ...->... | UnsafeHostnameVerification.java:46:49:46:65 | ...->... | $@ that accepts any certificate as valid, is used here. | UnsafeHostnameVerification.java:46:49:46:65 | ...->... | This hostname verifier |
+| UnsafeHostnameVerification.java:58:50:58:76 | ...->... | UnsafeHostnameVerification.java:58:50:58:76 | ...->... | UnsafeHostnameVerification.java:58:50:58:76 | ...->... | $@ that accepts any certificate as valid, is used here. | UnsafeHostnameVerification.java:58:50:58:76 | ...->... | This hostname verifier |
+| UnsafeHostnameVerification.java:74:49:74:56 | verifier | UnsafeHostnameVerification.java:68:31:73:3 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:74:49:74:56 | verifier | $@ that accepts any certificate as valid, is used here. | UnsafeHostnameVerification.java:68:31:73:3 | new (...) : new HostnameVerifier(...) { ... } | This hostname verifier |

java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java

@@ -0,0 +1,84 @@
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLSession;
+
+public class UnsafeHostnameVerification {
+
+	private static final boolean DISABLE_VERIFICATION = true;
+
+	/**
+	 * Test the implementation of trusting all hostnames as an anonymous class
+	 */
+	public void testTrustAllHostnameOfAnonymousClass() {
+		HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
+			@Override
+			public boolean verify(String hostname, SSLSession session) {
+				return true; // BAD, always returns true
+			}
+		});
+	}
+
+	/**
+	 * Test the implementation of trusting all hostnames as a lambda.
+	 */
+	public void testTrustAllHostnameLambda() {
+		HttpsURLConnection.setDefaultHostnameVerifier((name, s) -> true); // BAD, always returns true
+	}
+
+	/**
+	 * Test an all-trusting hostname verifier that is guarded by a flag
+	 */
+	public void testGuardedByFlagTrustAllHostname() {
+		if (DISABLE_VERIFICATION) {
+			HttpsURLConnection.setDefaultHostnameVerifier(ALLOW_ALL_HOSTNAME_VERIFIER); // GOOD: The all-trusting
+																						// hostname verifier is guarded
+																						// by a feature flag
+		}
+	}
+
+	public void testGuardedByFlagAccrossCalls() {
+		if (DISABLE_VERIFICATION) {
+			functionThatActuallyDisablesVerification();
+		}
+	}
+
+	private void functionThatActuallyDisablesVerification() {
+		HttpsURLConnection.setDefaultHostnameVerifier((name, s) -> true); // GOOD [but detected as BAD], because we only
+																			// check guards inside a function
+		// and not accross function calls. This is considerer GOOD because the call to
+		// `functionThatActuallyDisablesVerification` is guarded by a feature flag in
+		// `testGuardedByFlagAccrossCalls`.
+		// Although this is not ideal as another function could directly call
+		// `functionThatActuallyDisablesVerification` WITHOUT checking the feature flag.
+	}
+
+	public void testTrustAllHostnameDependingOnDerivedValue() {
+		String enabled = System.getProperty("disableHostnameVerification");
+		if (Boolean.parseBoolean(enabled)) {
+			HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);  // GOOD [but detected as BAD].
+			                                                                   // This is GOOD, because it depends on a feature
+			                                                                   // flag, but this is not detected by the query.
+		}
+	}
+
+	/**
+	 * Test the implementation of trusting all hostnames as a variable
+	 */
+	public void testTrustAllHostnameOfVariable() {
+		HostnameVerifier verifier = new HostnameVerifier() {
+			@Override
+			public boolean verify(String hostname, SSLSession session) {
+				return true; // BAD, always returns true
+			}
+		};
+		HttpsURLConnection.setDefaultHostnameVerifier(verifier);
+	}
+
+	public static final HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER = new HostnameVerifier() {
+		@Override
+		public boolean verify(String hostname, SSLSession session) {
+			return true; // BAD, always returns true
+		}
+	};
+}
+

java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-297/UnsafeHostnameVerification.ql