Fixed a false-positive in CWE-297/IgnoredHostnameVerification.ql

artem-smotrakov · artem-smotrakov · commit f78002bc0238 · 2022-01-16T18:25:18.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql b/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.controlflow.Guards
-import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
 
 private class HostnameVerificationCall extends MethodAccess {
   HostnameVerificationCall() {
@@ -27,12 +27,14 @@ private class HostnameVerificationCall extends MethodAccess {
     not exists(
       DataFlow::Node source, DataFlow::Node sink, CheckFailedHostnameVerificationConfig config
     |
-      this = source.asExpr() and config.hasFlow(source, sink)
+      this = source.asExpr()
+    |
+      config.hasFlow(source, sink)
     )
   }
 }
 
-private class CheckFailedHostnameVerificationConfig extends DataFlow::Configuration {
+private class CheckFailedHostnameVerificationConfig extends TaintTracking::Configuration {
   CheckFailedHostnameVerificationConfig() { this = "CheckFailedHostnameVerificationConfig" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -43,6 +45,7 @@ private class CheckFailedHostnameVerificationConfig extends DataFlow::Configurat
     exists(Guard guard, ThrowStmt throwStmt |
       guard.controls(throwStmt.getBasicBlock(), _) and
       (
+        guard = sink.asExpr() or
         guard.(EqualityTest).getAnOperand() = sink.asExpr() or
         guard.(HostnameVerificationCall) = sink.asExpr()
       )
diff --git a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java
@@ -62,7 +62,10 @@ public static SSLSocket connectWithHostnameVerification02(
 
     SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port);
     socket.startHandshake();
-    boolean successful = verifier.verify(host, socket.getSession());
+    boolean successful = false;
+    if (verifier != null) {
+      successful = verifier.verify(host, socket.getSession());
+    }
     if (!successful) {
       socket.close();
       throw new SSLException("Oops! Hostname verification failed!");

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`
`13`	`13`	`import java`
`14`	`14`	`import semmle.code.java.controlflow.Guards`
`15`		`-import semmle.code.java.dataflow.DataFlow`
	`15`	`+import semmle.code.java.dataflow.TaintTracking`
`16`	`16`
`17`	`17`	`private class HostnameVerificationCall extends MethodAccess {`
`18`	`18`	`HostnameVerificationCall() {`
`@@ -27,12 +27,14 @@ private class HostnameVerificationCall extends MethodAccess {`
`27`	`27`	`not exists(`
`28`	`28`	`DataFlow::Node source, DataFlow::Node sink, CheckFailedHostnameVerificationConfig config`
`29`	`29`	`\|`
`30`		`- this = source.asExpr() and config.hasFlow(source, sink)`
	`30`	`+ this = source.asExpr()`
	`31`	`+ \|`
	`32`	`+ config.hasFlow(source, sink)`
`31`	`33`	`)`
`32`	`34`	`}`
`33`	`35`	`}`
`34`	`36`
`35`		`-private class CheckFailedHostnameVerificationConfig extends DataFlow::Configuration {`
	`37`	`+private class CheckFailedHostnameVerificationConfig extends TaintTracking::Configuration {`
`36`	`38`	`CheckFailedHostnameVerificationConfig() { this = "CheckFailedHostnameVerificationConfig" }`
`37`	`39`
`38`	`40`	`override predicate isSource(DataFlow::Node source) {`
`@@ -43,6 +45,7 @@ private class CheckFailedHostnameVerificationConfig extends DataFlow::Configurat`
`43`	`45`	`exists(Guard guard, ThrowStmt throwStmt \|`
`44`	`46`	`guard.controls(throwStmt.getBasicBlock(), _) and`
`45`	`47`	`(`
	`48`	`+ guard = sink.asExpr() or`
`46`	`49`	`guard.(EqualityTest).getAnOperand() = sink.asExpr() or`
`47`	`50`	`guard.(HostnameVerificationCall) = sink.asExpr()`
`48`	`51`	`)`