Updated test cases to include test for java10+ CREDENTIALS_FILTER_PATTERN constant

Timo Mueller · Timo Mueller · commit 75f6ec1f0dab · 2021-05-25T17:08:58.000+02:00
diff --git a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.expected b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.expected
@@ -1,13 +1,15 @@
 edges
-| ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:23:12:23:29 | this <constr(this)> [post update] : RMIConnectorServer | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) |
+| ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) |
 | InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env |
 | InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env |
 | InsecureRmiJmxEnvironmentConfiguration.java:40:31:40:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:44:59:44:61 | env |
 | InsecureRmiJmxEnvironmentConfiguration.java:49:31:49:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:53:34:53:36 | env |
 | InsecureRmiJmxEnvironmentConfiguration.java:58:31:58:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env |
 | InsecureRmiJmxEnvironmentConfiguration.java:67:31:67:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env |
+| InsecureRmiJmxEnvironmentConfiguration.java:76:31:76:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:80:59:80:61 | env |
+| InsecureRmiJmxEnvironmentConfiguration.java:85:31:85:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:89:34:89:36 | env |
 nodes
-| ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:23:12:23:29 | this <constr(this)> [post update] : RMIConnectorServer | semmle.label | this <constr(this)> [post update] : RMIConnectorServer |
+| ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | semmle.label | this <constr(this)> [post update] : RMIConnectorServer |
 | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | semmle.label | newJMXConnectorServer(...) |
 | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | semmle.label | new RMIConnectorServer(...) |
 | InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
@@ -22,11 +24,13 @@ nodes
 | InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env | semmle.label | env |
 | InsecureRmiJmxEnvironmentConfiguration.java:67:31:67:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
 | InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env | semmle.label | env |
+| InsecureRmiJmxEnvironmentConfiguration.java:76:31:76:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
+| InsecureRmiJmxEnvironmentConfiguration.java:80:59:80:61 | env | semmle.label | env |
+| InsecureRmiJmxEnvironmentConfiguration.java:85:31:85:45 | new HashMap<String,Object>(...) : HashMap | semmle.label | new HashMap<String,Object>(...) : HashMap |
+| InsecureRmiJmxEnvironmentConfiguration.java:89:34:89:36 | env | semmle.label | env |
 #select
 | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | here | InsecureRmiJmxEnvironmentConfiguration.java:13:5:13:69 | newJMXConnectorServer(...) | source environment 'Map' |
-| InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:23:12:23:29 | this <constr(this)> [post update] : RMIConnectorServer | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | here | ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:23:12:23:29 | this <constr(this)> [post update] | source environment 'Map' |
+| InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] : RMIConnectorServer | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | here | ../../../stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java:26:12:26:29 | this <constr(this)> [post update] | source environment 'Map' |
 | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with 'null' environment $@. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | here | InsecureRmiJmxEnvironmentConfiguration.java:18:5:18:50 | new RMIConnectorServer(...) | source environment 'Map' |
 | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:27:34:27:36 | env | here | InsecureRmiJmxEnvironmentConfiguration.java:25:31:25:45 | new HashMap<String,Object>(...) | source environment 'Map' |
 | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:35:59:35:61 | env | here | InsecureRmiJmxEnvironmentConfiguration.java:33:31:33:45 | new HashMap<String,Object>(...) | source environment 'Map' |
-| InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env | InsecureRmiJmxEnvironmentConfiguration.java:58:31:58:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env | RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:62:59:62:61 | env | here | InsecureRmiJmxEnvironmentConfiguration.java:58:31:58:45 | new HashMap<String,Object>(...) | source environment 'Map' |
-| InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env | InsecureRmiJmxEnvironmentConfiguration.java:67:31:67:45 | new HashMap<String,Object>(...) : HashMap | InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env | RMI/JMX server initialized with insecure environment $@. The $@ never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:71:34:71:36 | env | here | InsecureRmiJmxEnvironmentConfiguration.java:67:31:67:45 | new HashMap<String,Object>(...) | source environment 'Map' |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java
@@ -53,21 +53,39 @@ public void secureRmiConnnectorServer() throws IOException {
     new RMIConnectorServer(null, env, null, null);
   }
 
-  public void secureeJmxConnectorServerConstants() throws IOException {
+  public void secureeJmxConnectorServerConstants1() throws IOException {
     // Good
     Map<String, Object> env = new HashMap<>();
     env.put("jmx.remote.x.daemon", "true");
-    env.put("RMIConnectorServer.SERIAL_FILTER_PATTERN",
-        new String[] { String[].class.getName(), String.class.getName() });
+    env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, "java.lang.String;!*"); // Deny everything but
+                                                                                   // java.lang.String
     JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
   }
 
-  public void secureeRmiConnectorServerConstants() throws IOException {
+  public void secureeRmiConnectorServerConstants1() throws IOException {
     // Good
     Map<String, Object> env = new HashMap<>();
     env.put("jmx.remote.x.daemon", "true");
-    env.put("RMIConnectorServer.SERIAL_FILTER_PATTERN",
-        new String[] { String[].class.getName(), String.class.getName() });
+    String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
+    env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
+    new RMIConnectorServer(null, env, null, null);
+  }
+
+  public void secureeJmxConnectorServerConstants2() throws IOException {
+    // Good
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    env.put("jmx.remote.rmi.server.credentials.filter.pattern", "java.lang.String;!*"); // Deny everything but
+                                                                                        // java.lang.String
+    JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
+  }
+
+  public void secureeRmiConnectorServerConstants2() throws IOException {
+    // Good
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
+    env.put("jmx.remote.rmi.server.credentials.filter.pattern", stringsOnlyFilter);
     new RMIConnectorServer(null, env, null, null);
   }
 }
diff --git a/java/ql/test/experimental/stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java b/java/ql/test/experimental/stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java
@@ -11,6 +11,9 @@
 
 //public class RMIConnectorServerTEST extends JMXConnectorServer{
 public class RMIConnectorServer extends java.lang.Object {
+
+    public static final String CREDENTIALS_FILTER_PATTERN = "jmx.remote.rmi.server.credentials.filter.pattern";
+
     public RMIConnectorServer(JMXServiceURL url, Map<String, ?> environment) throws IOException {
         // stub;
     }

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,9 @@`
`11`	`11`
`12`	`12`	`//public class RMIConnectorServerTEST extends JMXConnectorServer{`
`13`	`13`	`public class RMIConnectorServer extends java.lang.Object {`
	`14`	`+`
	`15`	`+ public static final String CREDENTIALS_FILTER_PATTERN = "jmx.remote.rmi.server.credentials.filter.pattern";`
	`16`	`+`
`14`	`17`	`public RMIConnectorServer(JMXServiceURL url, Map<String, ?> environment) throws IOException {`
`15`	`18`	`// stub;`
`16`	`19`	`}`