Exclude loopback address from reverse DNS source

owen-mc · owen-mc · commit 7a13c310211b · 2024-06-14T14:05:01.000+01:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -126,7 +126,7 @@ private class ReverseDnsSource extends RemoteFlowSource {
       m.getMethod() instanceof ReverseDnsMethod and
       not exists(MethodCall l |
         (variableStep(l, m.getQualifier()) or l = m.getQualifier()) and
-        l.getMethod().getName() = "getLocalHost"
+        (l.getMethod().getName() = "getLocalHost" or l.getMethod().getName() = "getLoopbackAddress")
       )
     )
   }
diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java
@@ -53,10 +53,10 @@ public static void main(HttpServletRequest request) throws Exception {
 		InetAddress loopback = InetAddress.getLoopbackAddress();
 		// GOOD: reverse DNS on loopback address is fine
 		if (loopback.getCanonicalHostName().equals("localhost")) {
-			login(user, password); // $ SPURIOUS: hasConditionalBypassTest
+			login(user, password); // $ hasConditionalBypassTest
 		}
 		if (Inet4Address.getLoopbackAddress().getCanonicalHostName().equals("localhost")) {
-			login(user, password); // $ SPURIOUS: hasConditionalBypassTest
+			login(user, password); // $ hasConditionalBypassTest
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ private class ReverseDnsSource extends RemoteFlowSource {`
`126`	`126`	`m.getMethod() instanceof ReverseDnsMethod and`
`127`	`127`	`not exists(MethodCall l \|`
`128`	`128`	`(variableStep(l, m.getQualifier()) or l = m.getQualifier()) and`
`129`		`- l.getMethod().getName() = "getLocalHost"`
	`129`	`+ (l.getMethod().getName() = "getLocalHost" or l.getMethod().getName() = "getLoopbackAddress")`
`130`	`130`	`)`
`131`	`131`	`)`
`132`	`132`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,10 @@ public static void main(HttpServletRequest request) throws Exception {`
`53`	`53`	`InetAddress loopback = InetAddress.getLoopbackAddress();`
`54`	`54`	`// GOOD: reverse DNS on loopback address is fine`
`55`	`55`	`if (loopback.getCanonicalHostName().equals("localhost")) {`
`56`		`- login(user, password); // $ SPURIOUS: hasConditionalBypassTest`
	`56`	`+ login(user, password); // $ hasConditionalBypassTest`
`57`	`57`	`}`
`58`	`58`	`if (Inet4Address.getLoopbackAddress().getCanonicalHostName().equals("localhost")) {`
`59`		`- login(user, password); // $ SPURIOUS: hasConditionalBypassTest`
	`59`	`+ login(user, password); // $ hasConditionalBypassTest`
`60`	`60`	`}`
`61`	`61`	`}`
`62`	`62`