Java: Add unsafe hostname verification query and remove existing overlapping query#4771
Java: Add unsafe hostname verification query and remove existing overlapping query#4771aschackmull merged 25 commits intogithub:mainfrom
Conversation
intrigus-lgtm
force-pushed
the
split-cwe-295
branch
from
203ac23 to
5c2adb1
Compare
intrigus-lgtm
changed the title
intrigus-lgtm
changed the title
smowton
left a comment
smowton
left a comment
There was a problem hiding this comment.
Can you remind me of the context why this is being replicated like this? I probably meant to split or move code without changing its behaviour rather than to produce (transiently) 3 identical copies of the same query, but I can't remember the original discussion off hand.
java/ql/src/experimental/Security/CWE/CWE-297/MissingSslEndpointIdentification.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-297/MissingSslEndpointIdentification.qhelp
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-297/MissingSslEndpointIdentification.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-297/MissingSslEndpointIdentification.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-297/MissingSslEndpointIdentification.qhelp
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-297/MissingSslEndpointIdentification.qhelp
Outdated
Show resolved
Hide resolved
intrigus-lgtm
force-pushed
the
split-cwe-295
branch
2 times, most recently
from
0b5b5f1 to
f064ea0
Compare
intrigus-lgtm
changed the title
java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.qhelp
Outdated
Show resolved
Hide resolved
java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java
Show resolved
Hide resolved
| import semmle.code.java.dataflow.FlowSources | ||
| import semmle.code.java.dataflow.TaintTracking2 |
There was a problem hiding this comment.
Ignore these two imports, they are for a later commit.
| @Override | ||
| public boolean verify(String hostname, SSLSession session) { | ||
| verify(hostname, session.getPeerCertificates()); | ||
| return true; // GOOD [but detected as BAD]. The verification of the certificate is done in another method and |
There was a problem hiding this comment.
This kind of scenario is rather rare, of ~100 Alerts I've only seen this pattern once.
java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.qhelp
Outdated
Show resolved
Hide resolved
|
I applied all suggestions. |
|
Have requested a codeowner review |
felicitymay
left a comment
felicitymay
left a comment
There was a problem hiding this comment.
@intrigus-lgtm - Apologies, my earlier suggestion to "fix" the query help was wrong.
I should have looked at the whole file and not jut the small part that the check reported.
Much of the syntax should be used as for HTML, so the <li> tags in the <recommendation> section need to be inside either <ol> or <ul> tags. However, it's not clear whether you really want a one sentence paragraph followed by a single bullet point for lines 23-27 so you might want to think about that.
You may find Query help files — CodeQL helpful. While the earlier lines weren't rejected by the PR check, I think that you're probably missing quite a bit of syntax here.
|
The Is it possible for a user to generate the qhelp file themselves? |
This ignores results that are guarded by a feature flag that suggests an intentionally insecure feature. Inspired by Go's `InsecureFeatureFlag.qll` and `DisabledCertificateCheck.ql`.
Co-authored-by: Chris Smowton <smowton@github.com>
Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Felicity Chapman <felicitymay@github.com>
intrigus-lgtm
force-pushed
the
split-cwe-295
branch
from
2f6e9bc to
5c1e746
Compare
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.qhelp
Outdated
Show resolved
Hide resolved
felicitymay
left a comment
felicitymay
left a comment
There was a problem hiding this comment.
@intrigus-lgtm - thanks for the most recent changes to the query help file for "Disabled hostname verification".
From the docs point of view, the text is ready to merge once CodeQL reviewers are happy.
One last comment that I'd make is that the filename, ID and @name for the query are all different and possibly it would be clearer for other users if they were more similar. I'm not sure how much effort it would be to rename the file and update the ID so that they were inline with the query @name.
|
@felicitymay what would you prefer? |
|
The test output of |
That sounds fine to me. We're also at the point where this should get a change note (add a file to |
intrigus-lgtm
force-pushed
the
split-cwe-295
branch
from
45a29d7 to
2931e1f
Compare
|
Added change note, accepted test output of |
5 participants
This PR adds an improved query for hostname verification vulnerabilities to the supported query set.
The overlapping existing code in https://github.com/github/codeql/blob/main/java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.ql is then removed, as it was easier for me to simply add a "new" query instead of duplicating/refactoring the existing query.
Todo: