hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update qldoc and test method

Browse Source
This commit is contained in:
luchua-bc
2021-02-16 14:11:39 +00:00
parent 5ce3af0591
commit e698ee77f7
2 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.qhelp
View File

@@ -5,8 +5,8 @@
<overview>
<p>Java versions 8u181 or greater have enabled LDAPS endpoint identification by default. Nowadays infrastructure services like LDAP are commonly deployed behind load balancers therefore the LDAP server name can be different from the FQDN of the LDAPS endpoint. If a service certificate does not properly contain a matching DNS name as part of the certificate, Java will reject it by default.</p>
<p>Instead of addressing the issue properly by having a compliant certificate deployed, frequently developers simply disable LDAPS endpoint check.</p>
<p>Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. This query checks whether LDAPS endpoint check is disabled in system properties.</p>
<p>Instead of addressing the issue properly by having a compliant certificate deployed, frequently developers simply disable the LDAPS endpoint check.</p>
<p>Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. This query checks whether the LDAPS endpoint check is disabled in system properties.</p>
</overview>
<recommendation>

7
java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
View File

@@ -32,7 +32,7 @@ class SetPropertyMethod extends Method {
}
}
/** The method to set system properties. */
/** The `setProperties` method declared in `java.lang.System`. */
class SetSystemPropertiesMethod extends Method {
SetSystemPropertiesMethod() {
this.hasName("setProperties") and
@@ -40,7 +40,7 @@ class SetSystemPropertiesMethod extends Method {
}
}
/** Holds if an expression is evaluated to the string literal `com.sun.jndi.ldap.object.disableEndpointIdentification`. */
/** Holds if `expr` is evaluated to the string literal `com.sun.jndi.ldap.object.disableEndpointIdentification`. */
predicate isPropertyDisableLdapEndpointId(Expr expr) {
expr.(CompileTimeConstantExpr).getStringValue() =
"com.sun.jndi.ldap.object.disableEndpointIdentification"
@@ -72,7 +72,8 @@ predicate isBooleanTrue(Expr expr) {
/** Holds if `ma` is in a test class or method. */
predicate isTestMethod(MethodAccess ma) {
ma.getMethod() instanceof TestMethod or
ma.getEnclosingCallable() instanceof TestMethod or
ma.getEnclosingCallable().getDeclaringType() instanceof TestClass or
ma.getEnclosingCallable().getDeclaringType().getPackage().getName().matches("%test%") or
ma.getEnclosingCallable().getDeclaringType().getName().toLowerCase().matches("%test%")
}