hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Exclude loopback address from reverse DNS source

Browse Source
This commit is contained in:
Owen Mansel-Chan
2024-06-14 12:21:23 +01:00
parent 5973f3fadc
commit 7a13c31021
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
View File

@@ -126,7 +126,7 @@ private class ReverseDnsSource extends RemoteFlowSource {
m.getMethod() instanceof ReverseDnsMethod and
not exists(MethodCall l |
(variableStep(l, m.getQualifier()) or l = m.getQualifier()) and
l.getMethod().getName() = "getLocalHost"
(l.getMethod().getName() = "getLocalHost" or l.getMethod().getName() = "getLoopbackAddress")
)
)
}

4
java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java
View File

@@ -53,10 +53,10 @@ class ConditionalBypassTest {
InetAddress loopback = InetAddress.getLoopbackAddress();
// GOOD: reverse DNS on loopback address is fine
if (loopback.getCanonicalHostName().equals("localhost")) {
login(user, password); // $ SPURIOUS: hasConditionalBypassTest
login(user, password); // $ hasConditionalBypassTest
}
if (Inet4Address.getLoopbackAddress().getCanonicalHostName().equals("localhost")) {
login(user, password); // $ SPURIOUS: hasConditionalBypassTest
login(user, password); // $ hasConditionalBypassTest
}
}