Merge pull request github#6103 from atorralba/atorralba/promote-insecure-javamail

Java: Promote Insecure JavaMail SSL Configuration from experimental

Author: aschackmull

java/change-notes/2021-06-18-insecure-java-mail-query.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Insecure JavaMail SSL Configuration" (`java/insecure-smtp-ssl`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3491).

java/ql/lib/semmle/code/java/frameworks/Mail.qll

@@ -0,0 +1,27 @@
+/** Provides classes and predicates to work with email */
+
+import java
+
+/**
+ * The class `javax.mail.Session` or `jakarta.mail.Session`.
+ */
+class MailSession extends Class {
+  MailSession() { this.hasQualifiedName(["javax.mail", "jakarta.mail"], "Session") }
+}
+
+/**
+ * The method `getInstance` of the classes `javax.mail.Session` or `jakarta.mail.Session`.
+ */
+class MailSessionGetInstanceMethod extends Method {
+  MailSessionGetInstanceMethod() {
+    this.getDeclaringType() instanceof MailSession and
+    this.getName() = "getInstance"
+  }
+}
+
+/**
+ * A subtype of the class `org.apache.commons.mail.Email`.
+ */
+class ApacheEmail extends Class {
+  ApacheEmail() { this.getASupertype*().hasQualifiedName("org.apache.commons.mail", "Email") }
+}

java/ql/lib/semmle/code/java/security/Mail.qll

@@ -0,0 +1,74 @@
+/** Provides classes and predicates to reason about email vulnerabilities. */
+
+import java
+import semmle.code.java.frameworks.Mail
+private import semmle.code.java.frameworks.Properties
+
+/**
+ * The insecure way to set Java properties in mail sessions.
+ * 1. Set the `mail.smtp.auth` property to provide the SMTP Transport with a username and password when connecting to the SMTP server or
+ *    set the `mail.smtp.ssl.socketFactory`/`mail.smtp.ssl.socketFactory.class` property to create an SMTP SSL socket.
+ * 2. No `mail.smtp.ssl.checkserveridentity` property is enabled.
+ */
+predicate isInsecureMailPropertyConfig(Variable properties) {
+  exists(MethodAccess ma |
+    ma.getMethod() instanceof SetPropertyMethod and
+    ma.getQualifier() = properties.getAnAccess()
+  |
+    getStringValue(ma.getArgument(0)).matches("%.auth%") and //mail.smtp.auth
+    getStringValue(ma.getArgument(1)) = "true"
+    or
+    getStringValue(ma.getArgument(0)).matches("%.socketFactory%") //mail.smtp.socketFactory or mail.smtp.socketFactory.class
+  ) and
+  not exists(MethodAccess ma |
+    ma.getMethod() instanceof SetPropertyMethod and
+    ma.getQualifier() = properties.getAnAccess()
+  |
+    getStringValue(ma.getArgument(0)).matches("%.ssl.checkserveridentity%") and //mail.smtp.ssl.checkserveridentity
+    getStringValue(ma.getArgument(1)) = "true"
+  )
+}
+
+/**
+ * Holds if `ma` enables TLS/SSL with Apache Email.
+ */
+predicate enablesEmailSsl(MethodAccess ma) {
+  ma.getMethod().hasName(["setSSLOnConnect", "setStartTLSRequired"]) and
+  ma.getMethod().getDeclaringType() instanceof ApacheEmail and
+  ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true
+}
+
+/**
+ * Holds if a SSL certificate check is enabled on an access of `apacheEmail` with Apache Email.
+ */
+predicate hasSslCertificateCheck(Variable apacheEmail) {
+  exists(MethodAccess ma |
+    ma.getQualifier() = apacheEmail.getAnAccess() and
+    ma.getMethod().hasName("setSSLCheckServerIdentity") and
+    ma.getMethod().getDeclaringType() instanceof ApacheEmail and
+    ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true
+  )
+}
+
+/**
+ * Returns the string value of `expr` if it is a `CompileTimeConstantExpr`,
+ * or the string value of its operands if it is an `AddExpr`.
+ */
+private string getStringValue(Expr expr) {
+  result = expr.(CompileTimeConstantExpr).getStringValue()
+  or
+  result = getStringValue(expr.(AddExpr).getAnOperand())
+}
+
+/**
+ * A method to set Java properties, either using the `Properties` class
+ * or the `Dictionary` class.
+ */
+private class SetPropertyMethod extends Method {
+  SetPropertyMethod() {
+    this instanceof PropertiesSetPropertyMethod
+    or
+    this.hasName("put") and
+    this.getDeclaringType().getASourceSupertype*().hasQualifiedName("java.util", "Dictionary")
+  }
+}

java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>JavaMail is commonly used in Java applications to send emails. There are popular third-party libraries like Apache Commons Email which are built on JavaMail and facilitate integration. Authenticated mail sessions require user credentials and mail sessions can require SSL/TLS authentication. It is a common security vulnerability that host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.</p>
+    <p>This query checks whether the SSL certificate is validated when credentials are used and SSL is enabled in email communications.</p>
+    <p>The query has code for both plain JavaMail invocation and mailing through Apache SimpleMail to make it more comprehensive.</p>
+  </overview>
+
+  <recommendation>
+    <p>Validate SSL certificate when sensitive information is sent in email communications.</p>
+  </recommendation>
+
+  <example>
+    <p>The following two examples show two ways of configuring secure emails through JavaMail or Apache SimpleMail. In the 'BAD' case,
+credentials are sent in an SSL session without certificate validation. In the 'GOOD' case, the certificate is validated.</p>
+    <sample src="JavaMail.java" />
+    <sample src="SimpleMail.java" />
+  </example>
+
+  <references>
+    <li>
+      Jakarta Mail:
+      <a href="https://eclipse-ee4j.github.io/mail/docs/SSLNOTES.txt">SSL Notes</a>.
+    </li>
+    <li>
+      Apache Commons:
+      <a href="https://commons.apache.org/proper/commons-email/userguide.html#Security">Email security</a>.
+    </li>
+    <li>
+      Log4j2:
+      <a href="https://issues.apache.org/jira/browse/LOG4J2-2819">Add support for specifying an SSL configuration for SmtpAppender (CVE-2020-9488)</a>.
+    </li>
+  </references>
+</qhelp>

java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Insecure JavaMail SSL Configuration
+ * @description Configuring a Java application to use authenticated mail session
+ *              over SSL without certificate validation
+ *              makes the session susceptible to a man-in-the-middle attack.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.9
+ * @precision medium
+ * @id java/insecure-smtp-ssl
+ * @tags security
+ *       external/cwe/cwe-297
+ */
+
+import java
+import semmle.code.java.security.Mail
+
+from MethodAccess ma
+where
+  ma.getMethod() instanceof MailSessionGetInstanceMethod and
+  isInsecureMailPropertyConfig(ma.getArgument(0).(VarAccess).getVariable())
+  or
+  enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier().(VarAccess).getVariable())
+select ma, "Java mailing has insecure SSL configuration"