Skip to content

Java: Add unsafe hostname verification query and remove existing overlapping query #4771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 25 commits into from
Jan 13, 2021
Merged

Java: Add unsafe hostname verification query and remove existing overlapping query #4771

merged 25 commits into from
Jan 13, 2021

Conversation

intrigus-lgtm
Copy link
Contributor

@intrigus-lgtm intrigus-lgtm commented Dec 2, 2020
edited
Loading

This PR adds an improved query for hostname verification vulnerabilities to the supported query set.
The overlapping existing code in https://github.com/github/codeql/blob/main/java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.ql is then removed, as it was easier for me to simply add a "new" query instead of duplicating/refactoring the existing query.

Todo:

  • Add change note.

@intrigus-lgtm intrigus-lgtm changed the title Duplicate UnsafeCert query so it can be split. Triplicate UnsafeCert query so it can be split. Dec 2, 2020
@intrigus-lgtm intrigus-lgtm changed the title Triplicate UnsafeCert query so it can be split. [Java] Triplicate UnsafeCert query so it can be split. Dec 2, 2020
@intrigus-lgtm intrigus-lgtm marked this pull request as ready for review December 2, 2020 20:51
@intrigus-lgtm intrigus-lgtm requested a review from a team as a code owner December 2, 2020 20:51
smowton
smowton reviewed Dec 3, 2020
View reviewed changes
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remind me of the context why this is being replicated like this? I probably meant to split or move code without changing its behaviour rather than to produce (transiently) 3 identical copies of the same query, but I can't remember the original discussion off hand.

@intrigus-lgtm intrigus-lgtm force-pushed the split-cwe-295 branch 2 times, most recently from 0b5b5f1 to f064ea0 Compare December 8, 2020 20:10
@intrigus-lgtm intrigus-lgtm changed the title [Java] Triplicate UnsafeCert query so it can be split. Java: Add unsafe hostname verification query and remove existing overlapping query Dec 8, 2020
@intrigus-lgtm intrigus-lgtm requested review from smowton and removed request for a team December 8, 2020 20:19
intrigus-lgtm
intrigus-lgtm commented Dec 9, 2020
View reviewed changes
java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql Outdated
Comment on lines 16 to 17
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking2
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ignore these two imports, they are for a later commit.

intrigus-lgtm
intrigus-lgtm commented Dec 9, 2020
View reviewed changes
java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java Outdated
@Override
public boolean verify(String hostname, SSLSession session) {
verify(hostname, session.getPeerCertificates());
return true; // GOOD [but detected as BAD]. The verification of the certificate is done in another method and
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This kind of scenario is rather rare, of ~100 Alerts I've only seen this pattern once.

@intrigus-lgtm
Copy link
Contributor Author

I applied all suggestions.

@smowton
Copy link
Contributor

smowton commented Dec 14, 2020

Have requested a codeowner review

felicitymay
felicitymay reviewed Dec 16, 2020
View reviewed changes
Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@intrigus-lgtm - Apologies, my earlier suggestion to "fix" the query help was wrong.
I should have looked at the whole file and not jut the small part that the check reported.

Much of the syntax should be used as for HTML, so the <li> tags in the <recommendation> section need to be inside either <ol> or <ul> tags. However, it's not clear whether you really want a one sentence paragraph followed by a single bullet point for lines 23-27 so you might want to think about that.

You may find Query help files — CodeQL helpful. While the earlier lines weren't rejected by the PR check, I think that you're probably missing quite a bit of syntax here.

@intrigus-lgtm
Copy link
Contributor Author

The <li> was an artifact of an older revision.
I've removed it and I think it should work now.

Is it possible for a user to generate the qhelp file themselves?
IIRC there were some changes in that area enabling the use for normal users?

@intrigus-lgtm intrigus-lgtm mentioned this pull request Dec 24, 2020
Merged
This was referenced Jan 4, 2021
Closed
Closed
intrigus and others added 14 commits January 11, 2021 13:42
@intrigus
Java: Make EnvTaintedMethod public + QL-Doc
d98b171
@intrigus
Java: Improve QL-Doc
a62a2e5
@intrigus
Java: Filter results by feature flags.
9e2ef9b 
This ignores results that are guarded by a feature flag
that suggests an intentionally insecure feature.
Inspired by Go's `InsecureFeatureFlag.qll` and
`DisabledCertificateCheck.ql`.
@intrigus
Java: Update test
33b0ff2
@intrigus
Java: Accept test output
c88f07d
@intrigus-lgtm @smowton @intrigus
Apply suggestions from code review
10fc2cf 
Co-authored-by: Chris Smowton <smowton@github.com>
@intrigus-lgtm @felicitymay @intrigus
Fix Qhelp format
355cb6e 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
@intrigus
Java: Fix Qhelp
502e4c3
@intrigus-lgtm @felicitymay @intrigus
Apply suggestions from code review
b8f3e64 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
@intrigus
Java: Autoformat
e11304a
@intrigus-lgtm @felicitymay @intrigus
Apply suggestions from doc review
f4b912c 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
@intrigus
Java: Add QLDoc improve query message
b469273
@intrigus
Java: Further reduce FPs, simply Flag2Guard flow
1eb2b75
@intrigus
Java: Rename to EnvReadMethod
5c1e746
@intrigus-lgtm @aschackmull
Java: Improve QLDoc & simplify code
4cfdb10 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
felicitymay
felicitymay reviewed Jan 12, 2021
View reviewed changes
Copy link
Contributor

@felicitymay felicitymay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@intrigus-lgtm - thanks for the most recent changes to the query help file for "Disabled hostname verification".

From the docs point of view, the text is ready to merge once CodeQL reviewers are happy.

One last comment that I'd make is that the filename, ID and @name for the query are all different and possibly it would be clearer for other users if they were more similar. I'm not sure how much effort it would be to rename the file and update the ID so that they were inline with the query @name.

@intrigus-lgtm
Copy link
Contributor Author

@felicitymay what would you prefer?
Renaming @id and @name to java/unsafe-hostname-verification and Unsafe hostname verification?
That would be easier as I would not have to rename the files 🙂

@aschackmull
Copy link
Contributor

The test output of ql/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrust.qlref also needs fixing.

@aschackmull
Copy link
Contributor

Renaming @id and @name to java/unsafe-hostname-verification and Unsafe hostname verification?

That sounds fine to me.

We're also at the point where this should get a change note (add a file to ql/java/change-notes with a name that includes todays date, cf. the other files in that dir). See e.g. ql/java/change-notes/2020-09-21-jhipster-gen-prng-query.md for an example of another change note that also describes the addition of a new query.

@intrigus-lgtm
Copy link
Contributor Author

Added change note, accepted test output of ql/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrust.qlref.

@aschackmull aschackmull merged commit 29935e1 into github:main Jan 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felicitymay felicitymay felicitymay left review comments

@aschackmull aschackmull aschackmull approved these changes

@smowton smowton Awaiting requested review from smowton

Assignees

@smowton smowton

Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@intrigus-lgtm @smowton @felicitymay @aschackmull @intrigus