Added a query for ignored hostname verification

artem-smotrakov · artem-smotrakov · commit 2b33265d0f75 · 2022-01-16T18:27:49.000Z
- Added IgnoredHostnameVerification.ql
- Added a qhelp file with examples
- Added tests
diff --git a/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql b/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
@@ -7,34 +7,43 @@
  * @precision medium
  * @id java/ignored-hostname-verification
  * @tags security
- *       external/cwe/cwe-295
+ *       external/cwe/cwe-297
  */
 
 import java
 import semmle.code.java.controlflow.Guards
-import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.DataFlow
 
+/** The `HostnameVerifier.verify()` method. */
+private class HostnameVerifierVerifyMethod extends Method {
+  HostnameVerifierVerifyMethod() {
+    this.getDeclaringType().getASupertype*().hasQualifiedName("javax.net.ssl", "HostnameVerifier") and
+    this.hasStringSignature("verify(String, SSLSession)")
+  }
+}
+
+/** Defines `HostnameVerifier.verity()` calls that are not wrapped by another `HostnameVerifier`. */
 private class HostnameVerificationCall extends MethodAccess {
   HostnameVerificationCall() {
-    getMethod()
-        .getDeclaringType()
-        .getASupertype*()
-        .hasQualifiedName("javax.net.ssl", "HostnameVerifier") and
-    getMethod().hasStringSignature("verify(String, SSLSession)")
+    this.getMethod() instanceof HostnameVerifierVerifyMethod and
+    not this.getCaller() instanceof HostnameVerifierVerifyMethod
   }
 
-  predicate ignored() {
+  /** Holds if the result if the call is not useds. */
+  predicate isIgnored() {
     not exists(
       DataFlow::Node source, DataFlow::Node sink, CheckFailedHostnameVerificationConfig config
     |
-      this = source.asExpr()
-    |
-      config.hasFlow(source, sink)
+      this = source.asExpr() and config.hasFlow(source, sink)
     )
   }
 }
 
-private class CheckFailedHostnameVerificationConfig extends TaintTracking::Configuration {
+/**
+ * A configuration that tracks data flows from the result of a `HostnameVerifier.vefiry()` call
+ * to a condition that controls a throw statement.
+ */
+private class CheckFailedHostnameVerificationConfig extends DataFlow::Configuration {
   CheckFailedHostnameVerificationConfig() { this = "CheckFailedHostnameVerificationConfig" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -54,5 +63,5 @@ private class CheckFailedHostnameVerificationConfig extends TaintTracking::Confi
 }
 
 from HostnameVerificationCall verification
-where verification.ignored()
-select verification, "Ignored result of hostname verification."
+where verification.isIgnored()
+select verification, "Ignored result of hostname verification."
diff --git a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java
@@ -1,6 +1,7 @@
 import java.io.IOException;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 
@@ -89,4 +90,19 @@ public static SSLSocket connectWithHostnameVerification03(
     throw new SSLException("Oops! Hostname verification failed!");
   }
 
-}
+  public static class HostnameVerifierWrapper implements HostnameVerifier {
+
+    private final HostnameVerifier verifier;
+
+    public HostnameVerifierWrapper(HostnameVerifier verifier) {
+        this.verifier = verifier;
+    }
+
+    @Override
+    public boolean verify(String hostname, SSLSession session) {
+        return verifier.verify(hostname, session); // GOOD: wrapped calls should not be reported
+    }
+
+  }
+
+}
