Merge pull request github#5164 from luchua-bc/java/insecure-ldap-endpoint

Java: CWE-297 Query to detect insecure LDAP endpoint configuration

Author: aschackmull

java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.java

@@ -0,0 +1,18 @@
+public class InsecureLdapEndpoint {
+    public Hashtable<String, String> createConnectionEnv() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
+
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, "username");
+        env.put(Context.SECURITY_CREDENTIALS, "secpassword");
+
+        // BAD - Test configuration with disabled SSL endpoint check.
+        {
+            System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
+        }
+
+        return env;
+    }
+}

java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.qhelp

@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Java versions 8u181 or greater have enabled LDAPS endpoint identification by default. Nowadays 
+  infrastructure services like LDAP are commonly deployed behind load balancers therefore the LDAP 
+  server name can be different from the FQDN of the LDAPS endpoint. If a service certificate does not 
+  properly contain a matching DNS name as part of the certificate, Java will reject it by default.</p>
+<p>Instead of addressing the issue properly by having a compliant certificate deployed, frequently 
+  developers simply disable the LDAPS endpoint check.</p>
+<p>Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. 
+  This query checks whether the LDAPS endpoint check is disabled in system properties.</p>
+</overview>
+
+<recommendation>
+<p>Replace any non-conforming LDAP server certificates to include a DNS name in the subjectAltName field 
+  of the certificate that matches the FQDN of the service.</p>
+</recommendation>
+
+<example>
+<p>The following two examples show two ways of configuring LDAPS endpoint. In the 'BAD' case, 
+  endpoint check is disabled. In the 'GOOD' case, endpoint check is left enabled through the 
+  default Java configuration.</p>
+<sample src="InsecureLdapEndpoint.java" />
+<sample src="InsecureLdapEndpoint2.java" />
+</example>
+
+<references>
+<li>
+  Oracle Java 8 Update 181 (8u181):
+  <a href="https://www.java.com/en/download/help/release_changes.html">Endpoint identification enabled on LDAPS connections</a>
+</li>
+<li>
+  IBM:
+  <a href="https://www.ibm.com/support/pages/how-do-i-fix-ldap-ssl-error-%E2%80%9Cjavasecuritycertcertificateexception-no-subject-alternative-names-present%E2%80%9D-websphere-application-server">Fix this LDAP SSL error</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql

@@ -0,0 +1,107 @@
+/**
+ * @name Insecure LDAPS Endpoint Configuration
+ * @description Java application configured to disable LDAPS endpoint identification does not validate
+ *              the SSL certificate to properly ensure that it is actually associated with that host.
+ * @kind problem
+ * @id java/insecure-ldaps-endpoint
+ * @tags security
+ *       external/cwe-297
+ */
+
+import java
+
+/** The method to set a system property. */
+class SetSystemPropertyMethod extends Method {
+  SetSystemPropertyMethod() {
+    this.hasName("setProperty") and
+    this.getDeclaringType().hasQualifiedName("java.lang", "System")
+  }
+}
+
+/** The class `java.util.Hashtable`. */
+class TypeHashtable extends Class {
+  TypeHashtable() { this.getSourceDeclaration().hasQualifiedName("java.util", "Hashtable") }
+}
+
+/**
+ * The method to set Java properties either through `setProperty` declared in the class `Properties`
+ * or `put` declared in its parent class `HashTable`.
+ */
+class SetPropertyMethod extends Method {
+  SetPropertyMethod() {
+    this.getDeclaringType().getAnAncestor() instanceof TypeHashtable and
+    this.hasName(["put", "setProperty"])
+  }
+}
+
+/** The `setProperties` method declared in `java.lang.System`. */
+class SetSystemPropertiesMethod extends Method {
+  SetSystemPropertiesMethod() {
+    this.hasName("setProperties") and
+    this.getDeclaringType().hasQualifiedName("java.lang", "System")
+  }
+}
+
+/**
+ * Holds if `Expr` expr is evaluated to the string literal
+ * `com.sun.jndi.ldap.object.disableEndpointIdentification`.
+ */
+predicate isPropertyDisableLdapEndpointId(Expr expr) {
+  expr.(CompileTimeConstantExpr).getStringValue() =
+    "com.sun.jndi.ldap.object.disableEndpointIdentification"
+  or
+  exists(Field f |
+    expr = f.getAnAccess() and
+    f.getAnAssignedValue().(StringLiteral).getValue() =
+      "com.sun.jndi.ldap.object.disableEndpointIdentification"
+  )
+}
+
+/** Holds if an expression is evaluated to the boolean value true. */
+predicate isBooleanTrue(Expr expr) {
+  expr.(CompileTimeConstantExpr).getStringValue() = "true" // "true"
+  or
+  expr.(BooleanLiteral).getBooleanValue() = true // true
+  or
+  exists(MethodAccess ma |
+    expr = ma and
+    ma.getMethod().hasName("toString") and
+    ma.getQualifier().(FieldAccess).getField().hasName("TRUE") and
+    ma.getQualifier()
+        .(FieldAccess)
+        .getField()
+        .getDeclaringType()
+        .hasQualifiedName("java.lang", "Boolean") // Boolean.TRUE.toString()
+  )
+}
+
+/** Holds if `ma` is in a test class or method. */
+predicate isTestMethod(MethodAccess ma) {
+  ma.getEnclosingCallable() instanceof TestMethod or
+  ma.getEnclosingCallable().getDeclaringType() instanceof TestClass or
+  ma.getEnclosingCallable().getDeclaringType().getPackage().getName().matches("%test%") or
+  ma.getEnclosingCallable().getDeclaringType().getName().toLowerCase().matches("%test%")
+}
+
+/** Holds if `MethodAccess` ma disables SSL endpoint check. */
+predicate isInsecureSSLEndpoint(MethodAccess ma) {
+  (
+    ma.getMethod() instanceof SetSystemPropertyMethod and
+    isPropertyDisableLdapEndpointId(ma.getArgument(0)) and
+    isBooleanTrue(ma.getArgument(1)) //com.sun.jndi.ldap.object.disableEndpointIdentification=true
+    or
+    ma.getMethod() instanceof SetSystemPropertiesMethod and
+    exists(MethodAccess ma2 |
+      ma2.getMethod() instanceof SetPropertyMethod and
+      isPropertyDisableLdapEndpointId(ma2.getArgument(0)) and
+      isBooleanTrue(ma2.getArgument(1)) and //com.sun.jndi.ldap.object.disableEndpointIdentification=true
+      ma2.getQualifier().(VarAccess).getVariable().getAnAccess() = ma.getArgument(0) // systemProps.setProperties(properties)
+    )
+  )
+}
+
+from MethodAccess ma
+where
+  isInsecureSSLEndpoint(ma) and
+  not isTestMethod(ma)
+select ma, "LDAPS configuration allows insecure endpoint identification"

java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint2.java

@@ -0,0 +1,17 @@
+public class InsecureLdapEndpoint2 {
+    public Hashtable<String, String> createConnectionEnv() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
+
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, "username");
+        env.put(Context.SECURITY_CREDENTIALS, "secpassword");
+
+        // GOOD - No configuration to disable SSL endpoint check since it is enabled by default.
+        {
+        }
+
+        return env;
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.expected

@@ -0,0 +1,5 @@
+| InsecureLdapEndpoint.java:19:9:19:92 | setProperty(...) | LDAPS configuration allows insecure endpoint identification |
+| InsecureLdapEndpoint.java:50:9:50:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |
+| InsecureLdapEndpoint.java:68:9:68:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |
+| InsecureLdapEndpoint.java:84:9:84:94 | setProperty(...) | LDAPS configuration allows insecure endpoint identification |
+| InsecureLdapEndpoint.java:102:9:102:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |

java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.java

@@ -0,0 +1,106 @@
+import java.util.Hashtable;
+import java.util.Properties;
+import javax.naming.Context;
+
+public class InsecureLdapEndpoint {
+    private static String PROP_DISABLE_LDAP_ENDPOINT_IDENTIFICATION = "com.sun.jndi.ldap.object.disableEndpointIdentification";
+
+    // BAD - Test configuration with disabled LDAPS endpoint check using `System.setProperty()`.
+    public Hashtable<String, String> createConnectionEnv() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
+
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, "username");
+        env.put(Context.SECURITY_CREDENTIALS, "secpassword");
+
+        // Disable SSL endpoint check
+        System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
+
+        return env;
+    }
+
+    // GOOD - Test configuration without disabling LDAPS endpoint check.
+    public Hashtable<String, String> createConnectionEnv2() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
+
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, "username");
+        env.put(Context.SECURITY_CREDENTIALS, "secpassword");
+
+        return env;
+    }
+
+    // BAD - Test configuration with disabled LDAPS endpoint check using `System.setProperties()`.
+    public Hashtable<String, String> createConnectionEnv3() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
+
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, "username");
+        env.put(Context.SECURITY_CREDENTIALS, "secpassword");
+
+        // Disable SSL endpoint check
+        Properties properties = new Properties();
+        properties.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
+        System.setProperties(properties);
+
+        return env;
+    }
+
+    // BAD - Test configuration with disabled LDAPS endpoint check using `HashTable.put()`.
+    public Hashtable<String, String> createConnectionEnv4() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
+
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, "username");
+        env.put(Context.SECURITY_CREDENTIALS, "secpassword");
+
+        // Disable SSL endpoint check
+        Properties properties = new Properties();
+        properties.put("com.sun.jndi.ldap.object.disableEndpointIdentification", "true");
+        System.setProperties(properties);
+
+        return env;
+    }
+
+    // BAD - Test configuration with disabled LDAPS endpoint check using the `TRUE` boolean field.
+    public Hashtable<String, String> createConnectionEnv5() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
+
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, "username");
+        env.put(Context.SECURITY_CREDENTIALS, "secpassword");
+
+        // Disable SSL endpoint check
+        System.setProperty(PROP_DISABLE_LDAP_ENDPOINT_IDENTIFICATION, Boolean.TRUE.toString());
+
+        return env;
+    }
+
+    // BAD - Test configuration with disabled LDAPS endpoint check using a boolean value.
+    public Hashtable<String, String> createConnectionEnv6() {
+        Hashtable<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, "ldaps://ad.your-server.com:636");
+
+        env.put(Context.SECURITY_AUTHENTICATION, "simple");
+        env.put(Context.SECURITY_PRINCIPAL, "username");
+        env.put(Context.SECURITY_CREDENTIALS, "secpassword");
+
+        // Disable SSL endpoint check
+        Properties properties = new Properties();
+        properties.put("com.sun.jndi.ldap.object.disableEndpointIdentification", true);
+        System.setProperties(properties);
+
+        return env;
+    }
+}

java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql