|
1 | 1 | /** |
2 | 2 | * @id java/incorrect-url-verification |
3 | 3 | * @name Insertion of sensitive information into log files |
4 | | - * @description Apps that rely on URL parsing to verify that a given URL is pointing to a trusted server are susceptible to wrong ways of URL parsing and verification. |
| 4 | + * @description Apps that rely on URL parsing to verify that a given URL is pointing to a trusted server are susceptible to wrong ways of URL parsing and verification. |
5 | 5 | * @kind problem |
6 | 6 | * @tags security |
7 | 7 | * external/cwe-939 |
8 | 8 | */ |
9 | 9 |
|
10 | 10 | import java |
11 | 11 |
|
12 | | - |
13 | 12 | /** |
14 | 13 | * The Java class `android.net.Uri` and `java.net.URL`. |
15 | 14 | */ |
16 | 15 | class Uri extends RefType { |
17 | | - Uri() { |
18 | | - hasQualifiedName("android.net", "Uri") or |
19 | | - hasQualifiedName("java.net", "URL") |
20 | | - } |
| 16 | + Uri() { |
| 17 | + hasQualifiedName("android.net", "Uri") or |
| 18 | + hasQualifiedName("java.net", "URL") |
| 19 | + } |
21 | 20 | } |
22 | 21 |
|
23 | 22 | /** |
24 | 23 | * The method `getHost()` declared in `android.net.Uri` and `java.net.URL`. |
25 | 24 | */ |
26 | 25 | class UriGetHostMethod extends Method { |
27 | | - UriGetHostMethod() { |
28 | | - getDeclaringType() instanceof Uri and |
29 | | - hasName("getHost") and |
30 | | - getNumberOfParameters() = 0 |
31 | | - } |
| 26 | + UriGetHostMethod() { |
| 27 | + getDeclaringType() instanceof Uri and |
| 28 | + hasName("getHost") and |
| 29 | + getNumberOfParameters() = 0 |
| 30 | + } |
32 | 31 | } |
33 | 32 |
|
34 | 33 | /** |
35 | 34 | * A library method that acts like `String.format` by formatting a number of |
36 | 35 | * its arguments according to a format string. |
37 | 36 | */ |
38 | 37 | class HostVerificationMethodAccess extends MethodAccess { |
39 | | - HostVerificationMethodAccess() { |
40 | | - ( |
41 | | - |
42 | | - this.getMethod().hasName("endsWith") or |
43 | | - this.getMethod().hasName("contains") or |
44 | | - this.getMethod().hasName("indexOf") |
45 | | - ) and |
46 | | - this.getMethod().getNumberOfParameters() = 1 and |
47 | | - ( |
48 | | - this.getArgument(0).(StringLiteral).getRepresentedString().charAt(0) != "." or //string constant comparison e.g. uri.getHost().endsWith("example.com") |
49 | | - this.getArgument(0).(AddExpr).getLeftOperand().(VarAccess).getVariable().getAnAssignedValue().(StringLiteral).getRepresentedString().charAt(0) != "." or //var1+var2, check var1 starts with "." e.g. String domainName = "example"; Uri.parse(url).getHost().endsWith(domainName+".com") |
50 | | - this.getArgument(0).(AddExpr).getLeftOperand().(StringLiteral).getRepresentedString().charAt(0) != "." or //"."+var2, check string constant "." e.g. String domainName = "example.com"; Uri.parse(url).getHost().endsWith("www."+domainName) |
51 | | - exists (MethodAccess ma | this.getArgument(0) = ma and ma.getMethod().hasName("getString") and ma.getArgument(0).toString().indexOf("R.string") = 0) or //Check resource properties in /res/values/strings.xml in Android mobile applications using res.getString(R.string.key) |
52 | | - this.getArgument(0).(VarAccess).getVariable().getAnAssignedValue().(StringLiteral).getRepresentedString().charAt(0) != "." //check variable starts with "." e.g. String domainName = "example.com"; Uri.parse(url).getHost().endsWith(domainName) |
53 | | - ) |
54 | | - } |
| 38 | + HostVerificationMethodAccess() { |
| 39 | + ( |
| 40 | + this.getMethod().hasName("endsWith") or |
| 41 | + this.getMethod().hasName("contains") or |
| 42 | + this.getMethod().hasName("indexOf") |
| 43 | + ) and |
| 44 | + this.getMethod().getNumberOfParameters() = 1 and |
| 45 | + ( |
| 46 | + this.getArgument(0).(StringLiteral).getRepresentedString().charAt(0) != "." //string constant comparison e.g. uri.getHost().endsWith("example.com") |
| 47 | + or |
| 48 | + this |
| 49 | + .getArgument(0) |
| 50 | + .(AddExpr) |
| 51 | + .getLeftOperand() |
| 52 | + .(VarAccess) |
| 53 | + .getVariable() |
| 54 | + .getAnAssignedValue() |
| 55 | + .(StringLiteral) |
| 56 | + .getRepresentedString() |
| 57 | + .charAt(0) != "." //var1+var2, check var1 starts with "." e.g. String domainName = "example"; Uri.parse(url).getHost().endsWith(domainName+".com") |
| 58 | + or |
| 59 | + this |
| 60 | + .getArgument(0) |
| 61 | + .(AddExpr) |
| 62 | + .getLeftOperand() |
| 63 | + .(StringLiteral) |
| 64 | + .getRepresentedString() |
| 65 | + .charAt(0) != "." //"."+var2, check string constant "." e.g. String domainName = "example.com"; Uri.parse(url).getHost().endsWith("www."+domainName) |
| 66 | + or |
| 67 | + exists(MethodAccess ma | |
| 68 | + this.getArgument(0) = ma and |
| 69 | + ma.getMethod().hasName("getString") and |
| 70 | + ma.getArgument(0).toString().indexOf("R.string") = 0 |
| 71 | + ) //Check resource properties in /res/values/strings.xml in Android mobile applications using res.getString(R.string.key) |
| 72 | + or |
| 73 | + this |
| 74 | + .getArgument(0) |
| 75 | + .(VarAccess) |
| 76 | + .getVariable() |
| 77 | + .getAnAssignedValue() |
| 78 | + .(StringLiteral) |
| 79 | + .getRepresentedString() |
| 80 | + .charAt(0) != "." //check variable starts with "." e.g. String domainName = "example.com"; Uri.parse(url).getHost().endsWith(domainName) |
| 81 | + ) |
| 82 | + } |
55 | 83 | } |
56 | 84 |
|
57 | 85 | from UriGetHostMethod um, MethodAccess uma, HostVerificationMethodAccess hma |
58 | 86 | where hma.getQualifier() = uma and uma.getMethod() = um |
59 | | -select "Potentially improper URL verification with $@ in $@ having $@.", |
60 | | - hma, hma.getFile(), hma.getArgument(0), "user-provided value" |
| 87 | +select "Potentially improper URL verification with $@ in $@ having $@.", hma, hma.getFile(), |
| 88 | + hma.getArgument(0), "user-provided value" |
0 commit comments