From a14ebb7c039cfeda6d63fd1942ef9b446d910eca Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Wed, 30 Nov 2022 11:42:19 +0000 Subject: [PATCH] Fixes --- .../code/java/security/AndroidCertificatePinningQuery.qll | 2 +- .../Security/CWE/CWE-295/AndroidMissingCertificatePinning.qhelp | 2 ++ ...ate-pinning.md => 2022-11-30-android-certificate-pinning.md} | 0 .../CWE-295/AndroidMissingCertificatePinning/Test1/test.ql | 2 +- .../CWE-295/AndroidMissingCertificatePinning/Test2/test.ql | 2 +- .../CWE-295/AndroidMissingCertificatePinning/Test3/test.ql | 2 +- .../CWE-295/AndroidMissingCertificatePinning/Test4/test.ql | 2 +- .../CWE-295/AndroidMissingCertificatePinning/Test5/test.ql | 2 +- 8 files changed, 8 insertions(+), 6 deletions(-) rename java/ql/src/change-notes/{2022-11-31-android-certificate-pinning.md => 2022-11-30-android-certificate-pinning.md} (100%) diff --git a/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll index 7c1a034363b..c8cf09bd0e9 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll @@ -144,5 +144,5 @@ predicate missingPinning(DataFlow::Node node, string domain) { /** Gets the domain name from the given string literal */ private string getDomain(CompileTimeConstantExpr expr) { - result = expr.getStringValue().regexpCapture("(https?://)?([^/]*)/?", 2) + result = expr.getStringValue().regexpCapture("(https?://)?([^/]*)(/.*)?", 2) } diff --git a/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.qhelp b/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.qhelp index dbadf7a6fb7..db97c98250e 100644 --- a/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.qhelp +++ b/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.qhelp @@ -3,9 +3,11 @@ "qhelp.dtd"> +

Certificate pinning is the practice of only trusting a specific set of SSL certificates, rather than those that the device trusts by default. In Android applications, it is reccomended to use certificate pinning when communicating over the network, in order to minimize the risk of machine-in-the-middle attacks from a comprimised CA. +

 diff --git a/java/ql/src/change-notes/2022-11-31-android-certificate-pinning.md b/java/ql/src/change-notes/2022-11-30-android-certificate-pinning.md similarity index 100% rename from java/ql/src/change-notes/2022-11-31-android-certificate-pinning.md rename to java/ql/src/change-notes/2022-11-30-android-certificate-pinning.md diff --git a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/test.ql b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/test.ql index 22238774af5..6dc626a59e0 100644 --- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/test.ql +++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test1/test.ql @@ -9,7 +9,7 @@ class Test extends InlineExpectationsTest { override predicate hasActualResult(Location loc, string el, string tag, string value) { exists(DataFlow::Node node | - missingPinning(node) and + missingPinning(node, _) and loc = node.getLocation() and el = node.toString() and value = "" and diff --git a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test2/test.ql b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test2/test.ql index 22238774af5..6dc626a59e0 100644 --- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test2/test.ql +++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test2/test.ql @@ -9,7 +9,7 @@ class Test extends InlineExpectationsTest { override predicate hasActualResult(Location loc, string el, string tag, string value) { exists(DataFlow::Node node | - missingPinning(node) and + missingPinning(node, _) and loc = node.getLocation() and el = node.toString() and value = "" and diff --git a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test3/test.ql b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test3/test.ql index 22238774af5..6dc626a59e0 100644 --- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test3/test.ql +++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test3/test.ql @@ -9,7 +9,7 @@ class Test extends InlineExpectationsTest { override predicate hasActualResult(Location loc, string el, string tag, string value) { exists(DataFlow::Node node | - missingPinning(node) and + missingPinning(node, _) and loc = node.getLocation() and el = node.toString() and value = "" and diff --git a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/test.ql b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/test.ql index 22238774af5..6dc626a59e0 100644 --- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/test.ql +++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test4/test.ql @@ -9,7 +9,7 @@ class Test extends InlineExpectationsTest { override predicate hasActualResult(Location loc, string el, string tag, string value) { exists(DataFlow::Node node | - missingPinning(node) and + missingPinning(node, _) and loc = node.getLocation() and el = node.toString() and value = "" and diff --git a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/test.ql b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/test.ql index 22238774af5..6dc626a59e0 100644 --- a/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/test.ql +++ b/java/ql/test/query-tests/security/CWE-295/AndroidMissingCertificatePinning/Test5/test.ql @@ -9,7 +9,7 @@ class Test extends InlineExpectationsTest { override predicate hasActualResult(Location loc, string el, string tag, string value) { exists(DataFlow::Node node | - missingPinning(node) and + missingPinning(node, _) and loc = node.getLocation() and el = node.toString() and value = "" and