Address issues with matching empty host and host in a concatenated string

2026-05-05 13:45:19 +02:00 · 2020-08-06 01:53:29 +00:00
parent 9a8eed8440
commit b821f918e5
3 changed files with 21 additions and 25 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
@@ -87,7 +87,7 @@ class HttpStringLiteral extends StringLiteral {
  HttpStringLiteral() {
    // Match URLs with the HTTP protocol and without private IP addresses to reduce false positives.
    exists(string s | this.getRepresentedString() = s |
-      s.regexpMatch("(?i)http://[\\[:a-zA-Z0-9].*") and
+      s.regexpMatch("(?i)http://[\\[a-zA-Z0-9].*") and
      not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())
    )
  }
@@ -106,29 +106,24 @@ predicate concatHttpString(Expr protocol, Expr host) {
        .(CompileTimeConstantExpr)
        .getStringValue()
        .regexpMatch("(?i)http(://)?")
-  ) and // Not empty host string
-  (
-    host.(CompileTimeConstantExpr).getStringValue().length() > 0 or
-    host
-        .(VarAccess)
-        .getVariable()
-        .getAnAssignedValue()
-        .(CompileTimeConstantExpr)
-        .getStringValue()
-        .length() > 0
  ) and
-  not (
-    host.(CompileTimeConstantExpr).getStringValue().regexpMatch(getPrivateHostRegex()) or
-    host
-        .(VarAccess)
-        .getVariable()
-        .getAnAssignedValue()
-        .(CompileTimeConstantExpr)
-        .getStringValue()
-        .regexpMatch(getPrivateHostRegex())
+  not exists(string hostString |
+    hostString = host.(CompileTimeConstantExpr).getStringValue() or
+    hostString =
+      host.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
+  |
+    hostString.length() = 0 or // Empty host is loopback address
+    hostString.regexpMatch(getPrivateHostRegex())
  )
 }

+/** Gets the leftmost operand in a concatenated string */
+Expr getLeftmostConcatOperand(Expr expr) {
+  if expr instanceof AddExpr
+  then result = getLeftmostConcatOperand(expr.(AddExpr).getLeftOperand())
+  else result = expr
+}
+
 /**
 * String concatenated with `HttpStringLiteral`.
 */
@@ -136,7 +131,8 @@ class HttpString extends Expr {
  HttpString() {
    this instanceof HttpStringLiteral
    or
-    concatHttpString(this.(AddExpr).getLeftOperand(), this.(AddExpr).getRightOperand())
+    concatHttpString(this.(AddExpr).getLeftOperand(),
+      getLeftmostConcatOperand(this.(AddExpr).getRightOperand()))
  }
 }

--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
@@ -1,6 +1,6 @@
 edges
 | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post |
-| InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get |
+| InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get |
 | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post |
 | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post |
 | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post |
@@ -13,7 +13,7 @@ edges
 nodes
 | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | semmle.label | ... + ... : String |
 | InsecureBasicAuth.java:28:3:28:6 | post | semmle.label | post |
-| InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | semmle.label | "http://www.example.com:dashboardPort/payment/retrieve" : String |
+| InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | semmle.label | "http://www.example.com:8000/payment/retrieve" : String |
 | InsecureBasicAuth.java:38:3:38:5 | get | semmle.label | get |
 | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
 | InsecureBasicAuth.java:54:3:54:6 | post | semmle.label | post |
@@ -33,7 +33,7 @@ nodes
 | InsecureBasicAuth.java:149:3:149:6 | conn | semmle.label | conn |
 #select
 | InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:52 | ... + ... | HTTP url |
-| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" | HTTP url |
+| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" | HTTP url |
 | InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
 | InsecureBasicAuth.java:71:3:71:6 | post | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
 | InsecureBasicAuth.java:86:3:86:6 | post | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:78:47:78:52 | "http" | HTTP url |
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java
@@ -156,7 +156,7 @@ public class InsecureBasicAuth {
 		String host = "LOCALHOST";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
-		HttpURLConnection conn = (HttpURLConnection) new URL("http://"+host+"/rest/getuser.do"+"?uid=abcdx").openConnection();
+		HttpURLConnection conn = (HttpURLConnection) new URL("http://"+(((host+"/rest/getuser.do")+"?uid=abcdx"))).openConnection();
 		conn.setRequestMethod("POST");
 		conn.setDoOutput(true);
 		conn.setRequestProperty("Authorization", "Basic " + encoding);