Merge branch 'insecureJmxRmiServerEnvironment' of github.com:mogwailabs/codeql into insecureJmxRmiServerEnvironment

2026-05-01 11:45:14 +02:00 · 2021-05-25 16:41:17 +02:00
parent 59ebe08c78 f44b97c1c3
commit 72901e3724
3 changed files with 8 additions and 10 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-665/CorrectJmxEnvironmentInitialisation.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/CorrectJmxEnvironmentInitialisation.java
@@ -17,8 +17,8 @@ public class CorrectJmxInitialisation {
        /* Restrict the login function to String Objects only (see CVE-2016-3427) */
        Map<String, Object> env = new HashMap<String, Object>();
        // For Java 10+
-        String my_filter = "java.lang.String;!*"; // Deny everything but java.lang.String
-        env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
+        String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
+        env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
                
        /* Java 9 or below:
        env.put("jmx.remote.rmi.server.credential.types",
--- a/java/ql/src/experimental/Security/CWE/CWE-665/CorrectRmiEnvironmentInitialisation.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/CorrectRmiEnvironmentInitialisation.java
@@ -7,8 +7,8 @@ public class CorrectRmiInitialisation {
        /* Restrict the login function to String Objects only (see CVE-2016-3427) */
        Map<String, Object> env = new HashMap<String, Object>();
        // For Java 10+
-        String my_filter = "java.lang.String;!*"; // Deny everything but java.lang.String
-        env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
+        String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
+        env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
                
        /* Java 9 or below
        env.put("jmx.remote.rmi.server.credential.types",
--- a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
@@ -10,10 +10,8 @@ method, resulting in the attempted deserialization of an attacker-controlled obj
 </overview>

 <recommendation>
-<p>During the creation/initialitation of an RMI or JMX server a properly set environment (Map) variable has
-to be passed as second parameter. 
-In order to disallow the deserialization of arbitrary objects the passed environment needs to set a deserialization filter.
-Ideally this filter only allows the deserialization to <code>java.lang.String</code>.
+<p>During the creation/initialization of an RMI or JMX server an environment should be supplied that sets a deserialization filter.
+Ideally this filter only allows the deserialization of <code>java.lang.String</code>.

 The filter can be configured by setting the key <code>jmx.remote.rmi.server.credentials.filter.pattern</code> (given by the constant <code>RMIConnectorServer.CREDENTIALS_FILTER_PATTERN</code>).
 The filter should (ideally) only allow java.lang.String and disallow all other classes for deserialization: (<code>"java.lang.String;!*"</code>).
@@ -21,10 +19,10 @@ The filter should (ideally) only allow java.lang.String and disallow all other c
 The key-value pair can be set as following:

 <code>
-String my_filter = "java.lang.String;!*"; // Deny everything but java.lang.String
+String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String

 Map<String, Object> env = new HashMap<String, Object>;
-env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
+env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
 </code>

 For applications using Java 9 or below: