Merge pull request #5983 from atorralba/atorralba/promote-insecure-basic-auth

Java: Promote Insecure Basic Authentication query from experimental

Author: atorralba

java/change-notes/2021-06-01-insecure-basic-auth-query.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Insecure basic authentication" (`java/insecure-basic-auth`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3976).

java/ql/lib/semmle/code/java/frameworks/Networking.qll

@@ -52,11 +52,20 @@ class UriCreation extends Call {
   /**
    * Gets the host argument of the newly created URI. In the case where the
    * host is specified separately, this is only the host. In the case where the
-   * uri is parsed from an input string, such as in
+   * URI is parsed from an input string, such as in
    * `URI("http://foo.com/mypath")`, this is the entire argument passed in,
    * that is `"http://foo.com/mypath"`.
    */
-  Expr getHostArg() { none() }
+  abstract Expr getHostArg();
+
+  /**
+   * Gets the scheme argument of the newly created URI. In the case where the
+   * scheme is specified separately, this is only the scheme. In the case where the
+   * URI is parsed from an input string, such as in
+   * `URI("http://foo.com/mypath")`, this is the entire argument passed in,
+   * that is `"http://foo.com/mypath"`.
+   */
+  abstract Expr getSchemeArg();
 }
 
 /** A `java.net.URI` constructor call. */
@@ -74,13 +83,17 @@ class UriConstructorCall extends ClassInstanceExpr, UriCreation {
     //    String fragment)
     result = this.getArgument(2) and this.getNumArgument() = 7
   }
+
+  override Expr getSchemeArg() { result = this.getArgument(0) }
 }
 
 /** A call to `java.net.URI::create`. */
 class UriCreate extends UriCreation {
   UriCreate() { this.getCallee().hasName("create") }
 
   override Expr getHostArg() { result = this.getArgument(0) }
+
+  override Expr getSchemeArg() { result = this.getArgument(0) }
 }
 
 /** A `java.net.URL` constructor call. */
@@ -105,7 +118,7 @@ class UrlConstructorCall extends ClassInstanceExpr {
   }
 
   /** Gets the argument that corresponds to the protocol of the URL. */
-  Expr protocolArg() {
+  Expr getProtocolArg() {
     // In all cases except where the first parameter is a URL, the argument
     // containing the protocol is the first one, otherwise it is the second.
     if this.getConstructor().getParameterType(0) instanceof TypeUrl

java/ql/lib/semmle/code/java/security/HttpsUrls.qll

@@ -0,0 +1,91 @@
+/** Provides classes and predicates to reason about plaintext HTTP vulnerabilities. */
+
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.frameworks.ApacheHttp
+private import semmle.code.java.frameworks.Networking
+
+/**
+ * String of HTTP URLs not in private domains.
+ */
+class HttpStringLiteral extends StringLiteral {
+  HttpStringLiteral() {
+    exists(string s | this.getRepresentedString() = s |
+      s = "http"
+      or
+      s.matches("http://%") and
+      not s.substring(7, s.length()) instanceof PrivateHostName and
+      not TaintTracking::localExprTaint(any(StringLiteral p |
+          p.getRepresentedString() instanceof PrivateHostName
+        ), this.getParent*())
+    )
+  }
+}
+
+/**
+ * A sink that represents a URL opening method call, such as a call to `java.net.URL.openConnection()`.
+ */
+abstract class UrlOpenSink extends DataFlow::Node { }
+
+private class DefaultUrlOpenSink extends UrlOpenSink {
+  DefaultUrlOpenSink() { sinkNode(this, "open-url") }
+}
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply
+ * to configurations working with HTTP URLs.
+ */
+class HttpUrlsAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for taint tracking configurations working with HTTP URLs.
+   */
+  abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
+}
+
+private class DefaultHttpUrlAdditionalTaintStep extends HttpUrlsAdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    apacheHttpRequestStep(n1, n2) or
+    createUriStep(n1, n2) or
+    createUrlStep(n1, n2) or
+    urlOpenStep(n1, n2)
+  }
+}
+
+/** Constructor of `ApacheHttpRequest` */
+private predicate apacheHttpRequestStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(ConstructorCall cc |
+    cc.getConstructedType() instanceof ApacheHttpRequest and
+    node2.asExpr() = cc and
+    cc.getAnArgument() = node1.asExpr()
+  )
+}
+
+/** `URI` methods */
+private predicate createUriStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(UriConstructorCall cc |
+    cc.getSchemeArg() = node1.asExpr() and
+    node2.asExpr() = cc
+  )
+}
+
+/** Constructors of `URL` */
+private predicate createUrlStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(UrlConstructorCall cc |
+    cc.getProtocolArg() = node1.asExpr() and
+    node2.asExpr() = cc
+  )
+}
+
+/** Method call of `HttpURLOpenMethod` */
+private predicate urlOpenStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(MethodAccess ma |
+    ma.getMethod() instanceof UrlOpenConnectionMethod and
+    node1.asExpr() = ma.getQualifier() and
+    ma = node2.asExpr()
+  )
+}

java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll

@@ -0,0 +1,25 @@
+/** Provides taint tracking configurations to be used in HTTPS URLs queries. */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.Networking
+import semmle.code.java.security.HttpsUrls
+
+/**
+ * A taint tracking configuration for HTTP connections.
+ */
+class HttpStringToUrlOpenMethodFlowConfig extends TaintTracking::Configuration {
+  HttpStringToUrlOpenMethodFlowConfig() { this = "HttpStringToUrlOpenMethodFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HttpStringLiteral }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UrlOpenSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+}

java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll

@@ -0,0 +1,45 @@
+/** Provides classes and predicates to reason about Insecure Basic Authentication vulnerabilities. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.HttpsUrls
+
+/**
+ * A source that represents HTTP URLs.
+ * Extend this class to add your own Insecure Basic Authentication sources.
+ */
+abstract class InsecureBasicAuthSource extends DataFlow::Node { }
+
+/** A default source representing HTTP strings, URLs or URIs. */
+private class DefaultInsecureBasicAuthSource extends InsecureBasicAuthSource {
+  DefaultInsecureBasicAuthSource() { this.asExpr() instanceof HttpStringLiteral }
+}
+
+/**
+ * A sink that represents a method that sets Basic Authentication.
+ * Extend this class to add your own Insecure Basic Authentication sinks.
+ */
+abstract class InsecureBasicAuthSink extends DataFlow::Node { }
+
+/** A default sink representing methods that set an Authorization header. */
+private class DefaultInsecureBasicAuthSink extends InsecureBasicAuthSink {
+  DefaultInsecureBasicAuthSink() {
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("addHeader") or
+      ma.getMethod().hasName("setHeader") or
+      ma.getMethod().hasName("setRequestProperty")
+    |
+      this.asExpr() = ma.getQualifier() and
+      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "Authorization" and
+      TaintTracking::localExprTaint(any(BasicAuthString b), ma.getArgument(1))
+    )
+  }
+}
+
+/**
+ * String pattern of basic authentication.
+ */
+private class BasicAuthString extends StringLiteral {
+  BasicAuthString() { exists(string s | this.getRepresentedString() = s | s.matches("Basic %")) }
+}

java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll

@@ -0,0 +1,22 @@
+/** Provides taint tracking configurations to be used in Insecure Basic Authentication queries. */
+
+import java
+import semmle.code.java.security.HttpsUrls
+import semmle.code.java.security.InsecureBasicAuth
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A taint tracking configuration for the Basic authentication scheme
+ * being used in HTTP connections.
+ */
+class BasicAuthFlowConfig extends TaintTracking::Configuration {
+  BasicAuthFlowConfig() { this = "InsecureBasicAuth::BasicAuthFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof InsecureBasicAuthSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureBasicAuthSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
+  }
+}

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -11,54 +11,10 @@
  */
 
 import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.frameworks.Networking
+import semmle.code.java.security.HttpsUrlsQuery
 import DataFlow::PathGraph
-private import semmle.code.java.dataflow.ExternalFlow
 
-class HttpString extends StringLiteral {
-  HttpString() {
-    // Avoid matching "https" here.
-    exists(string s | this.getRepresentedString() = s |
-      (
-        // Either the literal "http", ...
-        s = "http"
-        or
-        // ... or the beginning of a http URL.
-        s.matches("http://%")
-      ) and
-      not s.matches("%/localhost%")
-    )
-  }
-}
-
-class HttpStringToUrlOpenMethodFlowConfig extends TaintTracking::Configuration {
-  HttpStringToUrlOpenMethodFlowConfig() { this = "HttpsUrls::HttpStringToUrlOpenMethodFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HttpString }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UrlOpenSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(UrlConstructorCall u |
-      node1.asExpr() = u.protocolArg() and
-      node2.asExpr() = u
-    )
-  }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
-}
-
-/**
- * A sink that represents a URL opening method call, such as a call to `java.net.URL.openConnection()`.
- */
-private class UrlOpenSink extends DataFlow::Node {
-  UrlOpenSink() { sinkNode(this, "open-url") }
-}
-
-from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HttpString s
+from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HttpStringLiteral s
 where
   source.getNode().asExpr() = s and
   sink.getNode().asExpr() = m.getQualifier() and

java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.java renamed to java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.java

@@ -1,22 +1,19 @@
 public class InsecureBasicAuth {
   /**
    * Test basic authentication with Apache HTTP request.
-   */	
+   */
   public void testApacheHttpRequest(String username, String password) {
-  {
+
     // BAD: basic authentication over HTTP
     String url = "http://www.example.com/rest/getuser.do?uid=abcdx";
-  }
 
-  {
     // GOOD: basic authentication over HTTPS
-    String url = "https://www.example.com/rest/getuser.do?uid=abcdx";
-  }
+    url = "https://www.example.com/rest/getuser.do?uid=abcdx";
 
     HttpPost post = new HttpPost(url);
     post.setHeader("Accept", "application/json");
     post.setHeader("Content-type", "application/json");
-		
+
     String authString = username + ":" + password;
     byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
     String authStringEnc = new String(authEncBytes);
@@ -28,15 +25,12 @@ public void testApacheHttpRequest(String username, String password) {
    * Test basic authentication with Java HTTP URL connection.
    */
   public void testHttpUrlConnection(String username, String password) {
-  {
+
     // BAD: basic authentication over HTTP
     String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
-  }
 
-  {
     // GOOD: basic authentication over HTTPS
-    String urlStr = "https://www.example.com/rest/getuser.do?uid=abcdx";
-  }
+    urlStr = "https://www.example.com/rest/getuser.do?uid=abcdx";
 
     String authString = username + ":" + password;
     String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));

java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.qhelp renamed to java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.qhelp

@@ -2,7 +2,7 @@
 <qhelp>
 
   <overview>
-    <p>Basic authentication only obfuscates username/password in Base64 encoding, which can be easily recognized and reversed, thus it must not be transmitted over the cleartext HTTP channel. Transmission of sensitive information not in HTTPS is vulnerable to packet sniffing.</p>
+    <p>Basic authentication only obfuscates usernames and passwords in Base64 encoding, which can be easily recognized and reversed, thus it must not be transmitted over the cleartext HTTP channel. Transmitting sensitive information without using HTTPS makes the data vulnerable to packet sniffing.</p>
   </overview>
 
   <recommendation>
@@ -15,16 +15,13 @@
   </example>
 
   <references>
-    <li>
-      <a href="https://cwe.mitre.org/data/definitions/522">CWE-522</a>
-    </li>
     <li>
       SonarSource rule:
-      <a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-2647">Basic authentication should not be used</a>
+      <a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-2647">Basic authentication should not be used</a>.
     </li>
     <li>
       Acunetix:
-      <a href="https://www.acunetix.com/vulnerabilities/web/basic-authentication-over-http/">WEB VULNERABILITIES INDEX - Basic authentication over HTTP</a>
+      <a href="https://www.acunetix.com/vulnerabilities/web/basic-authentication-over-http/">WEB VULNERABILITIES INDEX - Basic authentication over HTTP</a>.
     </li>
   </references>
 </qhelp>

java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Insecure basic authentication
+ * @description Basic authentication only obfuscates username/password in
+ *              Base64 encoding, which can be easily recognized and reversed.
+ *              Transmitting sensitive information without using HTTPS makes
+ *              the data vulnerable to packet sniffing.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision medium
+ * @id java/insecure-basic-auth
+ * @tags security
+ *       external/cwe/cwe-522
+ *       external/cwe/cwe-319
+ */
+
+import java
+import semmle.code.java.security.InsecureBasicAuthQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, BasicAuthFlowConfig config
+where config.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Insecure basic authentication from $@.", source.getNode(),
+  "HTTP URL"