[WIP] Java: Improve CWE 295 #4536
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This seperates security issues with missing hostname verification (CWE 297) and issues with trustmanagers that accept any certificate as valid (CWE 295). (This is an incomplete separation for now)
Separate trust-all hostname verification and cases that miss enabling SSL endpoint identification.
smowton
reviewed
Oct 23, 2020
Comment on lines
+16
to
+18
| public X509Certificate[] getAcceptedIssuers() { | ||
| return null; //BAD: doesn't check cert issuer | ||
| } |
There was a problem hiding this comment.
Are you sure? All the uses in the JDK I can find seem to treat a null return as either invalid, or equivalent to a zero-length return (i.e., trust nobody).
Comment on lines
+36
to
+38
| public X509Certificate[] getAcceptedIssuers() { | ||
| return new X509Certificate[0]; //GOOD: Validate the cert issuer | ||
| } |
There was a problem hiding this comment.
Surely this rejects everything?
| </li> | ||
| <li> | ||
| <a href="https://support.google.com/faqs/answer/6346016?hl=en">How to fix apps containing an unsafe implementation of TrustManager</a> | ||
| <a href="https://support.google.com/faqs/answer/7188426?hl=en">How to resolve Insecure HostnameVerifier</a> |
There was a problem hiding this comment.
Would be better to find a link that doesn't specifically talk about Google Play, since this query is more general than that.
java/ql/src/experimental/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
Outdated
Show resolved
Hide resolved
smowton
reviewed
Oct 23, 2020
| <qhelp> | ||
|
|
||
| <overview> | ||
| <p>Java offers two mechanisms for SSL authentication - trust manager and hostname verifier. Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.</p> |
There was a problem hiding this comment.
Suggested change
| <p>Java offers two mechanisms for SSL authentication - trust manager and hostname verifier. Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.</p> | |
| <p>Java offers two mechanisms for SSL authentication - the X509 trust manager and the hostname verifier. The X509 trust manager validates the peer's certificate chain, while hostname verification establishes that the hostname in the URL matches the hostname given by the peer's certificate.</p> |
|
|
||
| <overview> | ||
| <p>Java offers two mechanisms for SSL authentication - trust manager and hostname verifier. Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.</p> | ||
| <p>And when SSLSocket or SSLEngine is created without a valid parameter of setEndpointIdentificationAlgorithm, hostname verification is disabled by default.</p> |
There was a problem hiding this comment.
Suggested change
| <p>And when SSLSocket or SSLEngine is created without a valid parameter of setEndpointIdentificationAlgorithm, hostname verification is disabled by default.</p> | |
| <p>Note that SSLSocket and SSLEngine do not verify hostnames by default. Verification must be enabled by calling <code>setEndpointIdentificationAlgorithm</code>.</p> |
| <overview> | ||
| <p>Java offers two mechanisms for SSL authentication - trust manager and hostname verifier. Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.</p> | ||
| <p>And when SSLSocket or SSLEngine is created without a valid parameter of setEndpointIdentificationAlgorithm, hostname verification is disabled by default.</p> | ||
| <p>Unsafe implementation of the interface X509TrustManager, HostnameVerifier, and SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.</p> |
There was a problem hiding this comment.
Suggested change
| <p>Unsafe implementation of the interface X509TrustManager, HostnameVerifier, and SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.</p> | |
| <p>Unsafe implementations of the interfaces <code>X509TrustManager</code>, <code>HostnameVerifier</code>, and <code>SSLSocket</code>/<code>SSLEngine</code> that ignore SSL certificate validation errors when establishing an HTTPS connection make the connection vulnerable to man-in-the-middle attacks.</p> |
| <p>Java offers two mechanisms for SSL authentication - trust manager and hostname verifier. Trust manager validates the peer's certificate chain while hostname verification establishes that the hostname in the URL matches the hostname in the server's identification.</p> | ||
| <p>And when SSLSocket or SSLEngine is created without a valid parameter of setEndpointIdentificationAlgorithm, hostname verification is disabled by default.</p> | ||
| <p>Unsafe implementation of the interface X509TrustManager, HostnameVerifier, and SSLSocket/SSLEngine ignores all SSL certificate validation errors when establishing an HTTPS connection, thereby making the app vulnerable to man-in-the-middle attacks.</p> | ||
| <p>This query checks whether trust manager is set to trust all certificates, the hostname verifier is turned off, or setEndpointIdentificationAlgorithm is missing. The query also covers a special implementation com.rabbitmq.client.ConnectionFactory.</p> |
There was a problem hiding this comment.
Suggested change
| <p>This query checks whether trust manager is set to trust all certificates, the hostname verifier is turned off, or setEndpointIdentificationAlgorithm is missing. The query also covers a special implementation com.rabbitmq.client.ConnectionFactory.</p> | |
| <p>This query checks whether trust manager is set to trust all certificates, the hostname verifier is turned off, or <code>setEndpointIdentificationAlgorithm</code> is missing. The query also covers an insecure implementation <code>com.rabbitmq.client.ConnectionFactory</code>.</p> |
Comment on lines
+25
to
+28
| m2.getDeclaringType() = this and | ||
| m2.hasName("getAcceptedIssuers") and | ||
| rt2.getEnclosingCallable() = m2 and | ||
| rt2.getResult() instanceof NullLiteral |
There was a problem hiding this comment.
Comment from previous review still applies: this doesn't seem to be a problem
Comment on lines
+41
to
+51
| exists(ArrayInit ai | | ||
| this.getArgument(1).(ArrayCreationExpr).getInit() = ai and | ||
| ai.getInit(0).(VarAccess).getVariable().getInitializer().getType().(Class).getASupertype*() | ||
| instanceof X509TrustAllManager //Scenario of context.init(null, new TrustManager[] { TRUST_ALL_CERTIFICATES }, null); | ||
| ) | ||
| or | ||
| exists(Variable v, ArrayInit ai | | ||
| this.getArgument(1).(VarAccess).getVariable() = v and | ||
| ai.getParent() = v.getAnAssignedValue() and | ||
| ai.getInit(0).getType().(Class).getASupertype*() instanceof X509TrustAllManager //Scenario of context.init(null, serverTMs, null); | ||
| ) |
There was a problem hiding this comment.
Comment from previous review still applies: avoid using brittle precise syntax like this; instead use function models to follow taint (in this case indicating an insecure config) from the instantiation of the weak checker through to use in an SSLSocket or similar.
java/ql/src/experimental/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
Outdated
Show resolved
Hide resolved
1 task
|
Superseded by #4771 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Continuation of #3581
@smowton what do you think about the approach?
I.e. using data flow and splitting everything into unsafe trustmanager, trust-all hostname verifier, and missing SSL endpoint indentification?