Merge pull request #6443 from artem-smotrakov/ignored-hostname-verifier

Java: An experimental query for ignored hostname verification
2026-05-02 20:25:13 +02:00 · 2022-02-14 18:56:27 +00:00
parent de5b3a272d f2bc5849ce
commit fd4dc95d84
7 changed files with 201 additions and 0 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.expected
@@ -0,0 +1 @@
+| IgnoredHostnameVerification.java:16:5:16:46 | verify(...) | Ignored result of hostname verification. |
--- a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java
@@ -0,0 +1,112 @@
+import java.io.IOException;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+public class IgnoredHostnameVerification {
+
+  // BAD: ignored result of HostnameVerifier.verify()
+  public static SSLSocket connectWithIgnoredHostnameVerification(
+      String host, int port, HostnameVerifier verifier) throws IOException {
+
+    SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
+    socket.startHandshake();
+    verifier.verify(host, socket.getSession());
+    return socket;
+  }
+
+  public static void check(boolean result) throws SSLException {
+    if (!result) {
+      throw new SSLException("Oops! Hostname verification failed!");
+    }
+  }
+
+  // GOOD: connect and check result of HostnameVerifier.verify()
+  public static SSLSocket connectWithHostnameVerification00(
+      String host, int port, HostnameVerifier verifier) throws IOException {
+
+    SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
+    socket.startHandshake();
+    check(verifier.verify(host, socket.getSession()));
+    return socket;
+  }
+
+  // GOOD: connect and check result of HostnameVerifier.verify()
+  public static SSLSocket connectWithHostnameVerification01(
+      String host, int port, HostnameVerifier verifier) throws IOException {
+
+    SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
+    socket.startHandshake();
+    boolean successful = verifier.verify(host, socket.getSession());
+    if (successful == false) {
+      socket.close();
+      throw new SSLException("Oops! Hostname verification failed!");
+    }
+
+    return socket;
+  }
+
+  // GOOD: connect and check result of HostnameVerifier.verify()
+  public static SSLSocket connectWithHostnameVerification02(
+      String host, int port, HostnameVerifier verifier) throws IOException {
+
+    SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
+    socket.startHandshake();
+    boolean successful = false;
+    if (verifier != null) {
+      successful = verifier.verify(host, socket.getSession());
+    }
+    if (!successful) {
+      socket.close();
+      throw new SSLException("Oops! Hostname verification failed!");
+    }
+
+    return socket;
+  }
+
+  // GOOD: connect and check result of HostnameVerifier.verify()
+  public static SSLSocket connectWithHostnameVerification03(
+      String host, int port, HostnameVerifier verifier) throws IOException {
+
+    SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
+    socket.startHandshake();
+    boolean successful = verifier.verify(host, socket.getSession());
+    if (successful) {
+      return socket;
+    }
+
+    socket.close();
+    throw new SSLException("Oops! Hostname verification failed!");
+  }
+
+  // GOOD: connect and check result of HostnameVerifier.verify()
+  public static String connectWithHostnameVerification04(
+      String[] hosts, HostnameVerifier verifier, SSLSession session) throws IOException {
+
+    for (String host : hosts) {
+      if (verifier.verify(host, session)) {
+        return host;
+      }
+    }
+
+    throw new SSLException("Oops! Hostname verification failed!");
+  }
+
+  public static class HostnameVerifierWrapper implements HostnameVerifier {
+
+    private final HostnameVerifier verifier;
+
+    public HostnameVerifierWrapper(HostnameVerifier verifier) {
+      this.verifier = verifier;
+    }
+
+    @Override
+    public boolean verify(String hostname, SSLSession session) {
+      return verifier.verify(hostname, session); // GOOD: wrapped calls should not be reported
+    }
+
+  }
+
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
				`@@ -0,0 +1 @@`
				`\| IgnoredHostnameVerification.java:16:5:16:46 \| verify(...) \| Ignored result of hostname verification. \|`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql`