hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixed and validated qhelp

Browse Source
This commit is contained in:
Timo Mueller
2021-06-25 15:37:47 +02:00
parent d0478eac95
commit 5aeeb3a801
5 changed files with 17 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
java/ql/src/experimental/Security/CWE/CWE-665/CorrectJmxEnvironmentInitialisation.java → java/ql/src/experimental/Security/CWE/CWE-665/CorrectJMXConnectorServerFactoryEnvironmentInitialisation.java
View File

0
java/ql/src/experimental/Security/CWE/CWE-665/CorrectRmiEnvironmentInitialisation.java → java/ql/src/experimental/Security/CWE/CWE-665/CorrectRMIConnectorServerEnvironmentInitalisation.java
View File

23
java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
View File

@@ -26,26 +26,11 @@ The filter should (ideally) only allow java.lang.String and disallow all other c
<p>The key-value pair can be set as following:</p>
<code>
String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
Map&lt;String, Object&gt; env = new HashMap&lt;String, Object&gt;;
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
</code>
<sample src="example_filter_java_10.java" />
<p>For applications using Java 6u113 to 9:</p>
<code>
// This is deprecated in Java 10+ !
Map&lt;String, Object&gt; env = new HashMap&lt;String, Object&gt;;
env.put (
"jmx.remote.rmi.server.credential.types",
new String[]{
String[].class.getName(),
String.class.getName()
}
);
</code>
<sample src="example_filter_java_9.java" />
<p>Please note that the JMX-RMI service is vulnerable in the default configuration.
For this reason an initialization with a <code>null</code> environment is also vulnerable.</p>
@@ -56,11 +41,11 @@ For this reason an initialization with a <code>null</code> environment is also v
<p>The first example shows how an JMX server is initialized securely with the <code>JMXConnectorServerFactory.newJMXConnectorServer()</code> call.</p>
<sample src="CorrectJmxInitialisation.java" />
<sample src="CorrectJMXConnectorServerFactoryEnvironmentInitialisation.java" />
<p>The second example shows how a JMX Server is initialized securely if the <code>RMIConnectorServer</code> class is used.</p>
<sample src="CorrectRmiInitialisation.java" />
<sample src="CorrectRMIConnectorServerEnvironmentInitalisation.java" />
</example>

4
java/ql/src/experimental/Security/CWE/CWE-665/example_filter_java_10.java Normal file
View File

@@ -0,0 +1,4 @@
String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
Map<String, Object> env = new HashMap<String, Object>;
env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);

9
java/ql/src/experimental/Security/CWE/CWE-665/example_filter_java_9.java Normal file
View File

@@ -0,0 +1,9 @@
// This is deprecated in Java 10+ !
Map<String, Object>; env = new HashMap<String, Object>;
env.put (
"jmx.remote.rmi.server.credential.types",
new String[]{
String[].class.getName(),
String.class.getName()
}
);