hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 08:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Diff-informed UnsafeHostnameVerification.ql

Browse Source 
This commit also adds a test case that would fail under `codeql test run
--check-diff-informed` if not for the override of
`getASelectedSourceLocation`. There was no existing such test since all
the existing tests used anonymous classes whose location was on the same
line as the source.
This commit is contained in:
Jonas Jensen
2024-10-05 21:54:14 +02:00
parent 8224ef6929
commit fea260bd55
3 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll
View File

@@ -65,6 +65,17 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
"|(set)?(accept|trust|ignore|allow)(all|every|any)" +
"|(use|do|enable)insecure|(set|do|use)?no.*(check|validation|verify|verification)|disable).*$")
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node source) {
isSource(source) and
(
result = source.getLocation()
or
result = source.asExpr().(ClassInstanceExpr).getConstructedType().getLocation()
)
}
}
/** Data flow to model the flow of a `TrustAllHostnameVerifier` to a `set(Default)HostnameVerifier` call. */

2
java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.expected
View File

@@ -4,6 +4,7 @@
| UnsafeHostnameVerification.java:47:55:47:71 | ...->... | UnsafeHostnameVerification.java:47:55:47:71 | ...->... | UnsafeHostnameVerification.java:47:55:47:71 | ...->... | The $@ defined by $@ always accepts any certificate, even if the hostname does not match. | UnsafeHostnameVerification.java:47:55:47:71 | ...->... | hostname verifier | UnsafeHostnameVerification.java:47:55:47:71 | new HostnameVerifier(...) { ... } | this type |
| UnsafeHostnameVerification.java:81:55:81:62 | verifier | UnsafeHostnameVerification.java:66:37:80:9 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:81:55:81:62 | verifier | The $@ defined by $@ always accepts any certificate, even if the hostname does not match. | UnsafeHostnameVerification.java:66:37:80:9 | new (...) : new HostnameVerifier(...) { ... } | hostname verifier | UnsafeHostnameVerification.java:66:41:66:56 | new HostnameVerifier(...) { ... } | this type |
| UnsafeHostnameVerification.java:94:55:94:62 | verifier | UnsafeHostnameVerification.java:88:37:93:9 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:94:55:94:62 | verifier | The $@ defined by $@ always accepts any certificate, even if the hostname does not match. | UnsafeHostnameVerification.java:88:37:93:9 | new (...) : new HostnameVerifier(...) { ... } | hostname verifier | UnsafeHostnameVerification.java:88:41:88:56 | new HostnameVerifier(...) { ... } | this type |
| UnsafeHostnameVerification.java:116:55:116:78 | new AlwaysTrueVerifier(...) | UnsafeHostnameVerification.java:116:55:116:78 | new AlwaysTrueVerifier(...) | UnsafeHostnameVerification.java:116:55:116:78 | new AlwaysTrueVerifier(...) | The $@ defined by $@ always accepts any certificate, even if the hostname does not match. | UnsafeHostnameVerification.java:116:55:116:78 | new AlwaysTrueVerifier(...) | hostname verifier | UnsafeHostnameVerification.java:104:26:104:43 | AlwaysTrueVerifier | this type |
edges
| UnsafeHostnameVerification.java:66:37:80:9 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:81:55:81:62 | verifier | provenance | Sink:MaD:1 |
| UnsafeHostnameVerification.java:88:37:93:9 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:94:55:94:62 | verifier | provenance | Sink:MaD:1 |
@@ -23,4 +24,5 @@ nodes
| UnsafeHostnameVerification.java:94:55:94:62 | verifier | semmle.label | verifier |
| UnsafeHostnameVerification.java:97:42:97:68 | ALLOW_ALL_HOSTNAME_VERIFIER : new HostnameVerifier(...) { ... } | semmle.label | ALLOW_ALL_HOSTNAME_VERIFIER : new HostnameVerifier(...) { ... } |
| UnsafeHostnameVerification.java:97:72:102:5 | new (...) : new HostnameVerifier(...) { ... } | semmle.label | new (...) : new HostnameVerifier(...) { ... } |
| UnsafeHostnameVerification.java:116:55:116:78 | new AlwaysTrueVerifier(...) | semmle.label | new AlwaysTrueVerifier(...) |
subpaths

16
java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java
View File

@@ -100,4 +100,20 @@ public class UnsafeHostnameVerification {
return true; // BAD, always returns true
}
};
private static class AlwaysTrueVerifier implements HostnameVerifier {
@Override
public boolean verify(String hostname, SSLSession session) {
return true; // BAD, always returns true
}
}
/**
* Same as testTrustAllHostnameOfAnonymousClass, but with a named class.
* This is for testing the diff-informed functionality of the query.
*/
public void testTrustAllHostnameOfNamedClass() {
HttpsURLConnection.setDefaultHostnameVerifier(new AlwaysTrueVerifier());
}
}