Merged simplified query

Author: smowton

java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql

@@ -1,7 +1,7 @@
 /**
  * @name InsecureRmiJmxAuthenticationEnvironment
- * @description Creating a JMX/RMI server could lead to code execution through insecure deserialization if its environment does not restrict the types that can be deserialized.
- * @kind path-problem
+ * @description This query detects if a JMX/RMI server is created with a potentially dangerous environment, which could lead to code execution through insecure deserialization.
+ * @kind problem
  * @problem.severity error
  * @tags security
  *       external/cwe/cwe-665
@@ -11,11 +11,7 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.DataFlow2
 import semmle.code.java.Maps
-import DataFlow::PathGraph
-import semmle.code.java.dataflow.NullGuards
-import semmle.code.java.dataflow.Nullness
 
 /** Holds if `constructor` instantiates an RMI or JMX server. */
 predicate isRmiOrJmxServerCreateConstructor(Constructor constructor) {
@@ -31,17 +27,23 @@ predicate isRmiOrJmxServerCreateMethod(Method method) {
 }
 
 /**
- * Models flow from `new HashMap<>()` to a
- * `map.put("jmx.remote.rmi.server.credential.types", value)` call.
+ * Models flow from the qualifier of a
+ * `map.put("jmx.remote.rmi.server.credential.types", value)` call
+ * to an RMI or JMX initialisation call.
  */
-class MapToPutCredentialstypeConfiguration extends DataFlow2::Configuration {
-  MapToPutCredentialstypeConfiguration() { this = "MapToPutCredentialstypeConfiguration" }
+class SafeFlow extends DataFlow::Configuration {
+  SafeFlow() { this = "MapToPutCredentialstypeConfiguration" }
 
-  override predicate isSource(DataFlow2::Node source) {
-    source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof MapType
-  }
+  override predicate isSource(DataFlow::Node source) { putsCredentialtypesKey(source.asExpr()) }
 
-  override predicate isSink(DataFlow2::Node sink) { putsCredentialtypesKey(sink.asExpr()) }
+  override predicate isSink(DataFlow::Node sink) {
+    exists(Call c |
+      isRmiOrJmxServerCreateConstructor(c.getCallee()) or
+      isRmiOrJmxServerCreateMethod(c.getCallee())
+    |
+      sink.asExpr() = c.getArgument(1)
+    )
+  }
 
   /**
    * Holds if a `put` call on `qualifier` puts a key match
@@ -53,8 +55,11 @@ class MapToPutCredentialstypeConfiguration extends DataFlow2::Configuration {
         "jmx.remote.rmi.server.credential.types" or
       put.getKey().(CompileTimeConstantExpr).getStringValue() =
         "jmx.remote.rmi.server.credentials.filter.pattern" or
-      put.getKey().toString() = "RMIConnectorServer.CREDENTIAL_TYPES" or // This can probably be solved more nicely
-      put.getKey().toString() = "RMIConnectorServer.CREDENTIALS_FILTER_PATTERN" // This can probably be solved more nicely
+      put.getKey()
+          .(FieldAccess)
+          .getField()
+          .hasQualifiedName("javax.management.remote.rmi", "RMIConnectorServer",
+            ["CREDENTIAL_TYPES", "CREDENTIALS_FILTER_PATTERN", "SERIAL_FILTER_PATTERN"])
     |
       put.getQualifier() = qualifier and
       put.getMethod().(MapMethod).getReceiverKeyType() instanceof TypeString and
@@ -63,90 +68,21 @@ class MapToPutCredentialstypeConfiguration extends DataFlow2::Configuration {
   }
 }
 
-/**
- * Models flow from `new HashMap<>()` variable which is later used as environment during
- * a JMX/RMI server initialization with `newJMXConnectorServer(...)` or `RMIConnectorServer(...)`
- */
-class MapToRmiServerInitConfiguration extends DataFlow::Configuration {
-  MapToRmiServerInitConfiguration() { this = "MapToRmiServerInitConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof MapType
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ConstructorCall ccall |
-      sink.asExpr() = ccall.getArgument(1) and
-      isRmiOrJmxServerCreateConstructor(ccall.getConstructor())
-    )
-    or
-    exists(MethodAccess ma |
-      sink.asExpr() = ma.getArgument(1) and
-      isRmiOrJmxServerCreateMethod(ma.getMethod())
-    )
-  }
-}
-
-/** Models if any JMX/RMI server are initialized with a null environment */
-class FlowServerInitializedWithNullEnv extends DataFlow::Configuration {
-  FlowServerInitializedWithNullEnv() { this = "FlowServerInitializedWithNullEnv" }
-
-  override predicate isSource(DataFlow::Node source) { any() }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ConstructorCall ccall |
-      sink.asExpr() = ccall and
-      isRmiOrJmxServerCreateConstructor(ccall.getConstructor()) and
-      ccall.getArgument(1) = alwaysNullExpr()
-    )
-    or
-    exists(MethodAccess ma |
-      sink.asExpr() = ma and
-      isRmiOrJmxServerCreateMethod(ma.getMethod()) and
-      ma.getArgument(1) = alwaysNullExpr()
-    )
-  }
-}
-
-/** Holds if within the passed PathNode a "jmx.remote.rmi.server.credential.types" is set. */
-predicate mapFlowContainsCredentialtype(DataFlow::PathNode source) {
-  exists(MapToPutCredentialstypeConfiguration conf | conf.hasFlow(source.getNode(), _))
-}
-
 /** Gets a string describing why the application is vulnerable, depending on if the vulnerability is present due to a) a null environment b) an insecurely set environment map */
-bindingset[source]
-string getRmiResult(DataFlow::PathNode source) {
+string getRmiResult(Expr e) {
   // We got a Map so we have a source and a sink node
-  if source.getNode().getType() instanceof MapType
+  if e instanceof NullLiteral
   then
     result =
-      "RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method."
+      "RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks."
   else
-    // The environment is not a map so we most likely have a "null" environment and therefore only a sink
     result =
-      "RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks."
+      "RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method."
 }
 
-/** Holds for any map flow paths with **no** jmx.remote.rmi.server.credential.types set */
-predicate hasVulnerableMapFlow(DataFlow::PathNode source, DataFlow::PathNode sink) {
-  exists(MapToRmiServerInitConfiguration dataflow |
-    dataflow.hasFlowPath(source, sink) and
-    not mapFlowContainsCredentialtype(source)
-  )
-}
-
-from
-  DataFlow::PathNode source, DataFlow::PathNode sink,
-  FlowServerInitializedWithNullEnv initNullDataflow
+from Call c, Expr envArg
 where
-  // Check if server is created with null env
-  initNullDataflow.hasFlowPath(source, sink)
-  or
-  /*
-   * The map created by `new HashMap<String, Object>()` has to a) flow to the sink and
-   *  b) there must not exist a (different) sink that would put `"jmx.remote.rmi.server.credential.types"` into `source`.
-   */
-
-  hasVulnerableMapFlow(source, sink)
-select sink.getNode(), source, sink, getRmiResult(source), sink.getNode(), "here", source.getNode(),
-  "source environment 'Map'"
+  (isRmiOrJmxServerCreateConstructor(c.getCallee()) or isRmiOrJmxServerCreateMethod(c.getCallee())) and
+  envArg = c.getArgument(1) and
+  not any(SafeFlow conf).hasFlowToExpr(envArg)
+select c, getRmiResult(envArg), envArg, envArg.toString()

java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.expected

@@ -1,36 +1,4 @@
-edges
-| ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) |
-| InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:40:31:40:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:44:59:44:61 | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:49:31:49:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:53:34:53:36 | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:58:31:58:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:67:31:67:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:76:31:76:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:80:59:80:61 | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:85:31:85:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:89:34:89:36 | env |
-nodes
-| ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | semmle.label | this <constr(this)> [post update] : RMIConnectorServer |
-| InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | semmle.label | newJMXConnectorServer(...) |
-| InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | semmle.label | new RMIConnectorServer(...) |
-| InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
-| InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | semmle.label | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
-| InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | semmle.label | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:40:31:40:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
-| InsecureRmiJmxEnvironmentConfiguration.java:44:59:44:61 | env | semmle.label | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:49:31:49:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
-| InsecureRmiJmxEnvironmentConfiguration.java:53:34:53:36 | env | semmle.label | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:58:31:58:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
-| InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env | semmle.label | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:67:31:67:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
-| InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env | semmle.label | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:76:31:76:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
-| InsecureRmiJmxEnvironmentConfiguration.java:80:59:80:61 | env | semmle.label | env |
-| InsecureRmiJmxEnvironmentConfiguration.java:85:31:85:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
-| InsecureRmiJmxEnvironmentConfiguration.java:89:34:89:36 | env | semmle.label | env |
-#select
-| InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | here | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | source environment 'Map' |
-| InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | here | ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] | source environment 'Map' |
-| InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | here | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | source environment 'Map' |
-| InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | here | InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) | source environment 'Map' |
-| InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | here | InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) | source environment 'Map' |
+| InsecureRmiJmxEnvironmentConfiguration.java:12:5:12:69 | newJMXConnectorServer(...) | RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:12:59:12:62 | null | null |
+| InsecureRmiJmxEnvironmentConfiguration.java:17:5:17:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:17:34:17:37 | null | null |
+| InsecureRmiJmxEnvironmentConfiguration.java:25:5:25:49 | new RMIConnectorServer(...) | RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:25:34:25:36 | env | env |
+| InsecureRmiJmxEnvironmentConfiguration.java:33:5:33:68 | newJMXConnectorServer(...) | RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:33:59:33:61 | env | env |

java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java

@@ -1,6 +1,5 @@
 import java.io.IOException;
 import javax.management.remote.JMXConnectorServerFactory;
-
 import javax.management.remote.rmi.RMIConnectorServer;
 
 import java.util.HashMap;
@@ -16,7 +15,6 @@ public void initInsecureJmxDueToNullEnv() throws IOException {
   public void initInsecureRmiDueToNullEnv() throws IOException {
     // Bad initializing env (arg1) with null
     new RMIConnectorServer(null, null, null, null);
-
   }
 
   public void initInsecureRmiDueToMissingEnvKeyValue() throws IOException {
@@ -71,7 +69,7 @@ public void secureeRmiConnectorServerConstants1() throws IOException {
     new RMIConnectorServer(null, env, null, null);
   }
 
-  public void secureeJmxConnectorServerConstants2() throws IOException {
+  public void secureJmxConnectorServerConstants2() throws IOException {
     // Good
     Map<String, Object> env = new HashMap<>();
     env.put("jmx.remote.x.daemon", "true");
@@ -80,7 +78,7 @@ public void secureeJmxConnectorServerConstants2() throws IOException {
     JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
   }
 
-  public void secureeRmiConnectorServerConstants2() throws IOException {
+  public void secureRmiConnectorServerConstants2() throws IOException {
     // Good
     Map<String, Object> env = new HashMap<>();
     env.put("jmx.remote.x.daemon", "true");

java/ql/test/experimental/query-tests/security/CWE-665/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../../experimental/stubs/javax-management-remote-rmi-0.0.1
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/rmi-remote-0.0.0

java/ql/test/experimental/stubs/rmi-remote-0.0.0/README

@@ -0,0 +1 @@
+This is a workaround for a bug in which the extractor can't resolve type javax.management.remote.rmi.RMIConnectorServer even though it has been part of the JDK since Java 5

java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIConnection.java

@@ -0,0 +1,6 @@
+package javax.management.remote.rmi;
+
+import java.rmi.Remote;
+import java.io.Closeable;
+
+interface RMIConnection extends Closeable, Remote { }

java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIConnectorServer.java

@@ -0,0 +1,34 @@
+package javax.management.remote.rmi;
+
+import java.util.Map;
+
+import javax.management.remote.JMXConnectorServer;
+import javax.management.remote.JMXConnector;
+import javax.management.remote.JMXServiceURL;
+import javax.management.remote.MBeanServerForwarder;
+import javax.management.MBeanServer;
+
+// Note this is a partial stub sufficient to the needs of tests for CWE-665
+public class RMIConnectorServer extends JMXConnectorServer {
+
+  public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment) { }
+  public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment, MBeanServer mbeanServer) { }
+  public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment, RMIServerImpl rmiServerImpl, MBeanServer mbeanServer) { }
+
+  public static String CREDENTIAL_TYPES	= "";
+  public static String CREDENTIALS_FILTER_PATTERN = "";
+  public static String JNDI_REBIND_ATTRIBUTE = "";
+  public static String RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE = "";
+  public static String RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE = "";
+  public static String SERIAL_FILTER_PATTERN = "";
+
+  public Map<String,?> getAttributes() { return null; }
+  public JMXServiceURL getAddress() { return null; }
+  public String[] getConnectionIds() { return null; }
+  public boolean isActive() { return true; }
+  public void setMBeanServerForwarder(MBeanServerForwarder mbsf) { }
+  public void start() { }
+  public void stop() { }
+  public JMXConnector toJMXConnector(Map<String,?> env) { return null; }
+
+}

java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIServer.java

@@ -0,0 +1,3 @@
+package javax.management.remote.rmi;
+
+interface RMIServer { }

java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIServerImpl.java

@@ -0,0 +1,12 @@
+package javax.management.remote.rmi;
+
+import java.io.Closeable;
+import java.rmi.Remote;
+
+public class RMIServerImpl implements Closeable, RMIServer { 
+
+  public void close() { }
+  public String getVersion() { return null; }
+  public RMIConnection newClient(Object credentials) { return null; }
+
+}