Java: Convert unsafe hostname verification sinks to CSV format

tamasvajk · tamasvajk · commit e544faed6de2 · 2021-04-09T13:10:44.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -15,6 +15,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.Encryption
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * Holds if `m` always returns `true` ignoring any exceptional flow.
@@ -49,14 +50,7 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
     source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, Method m |
-      (m instanceof SetDefaultHostnameVerifierMethod or m instanceof SetHostnameVerifierMethod) and
-      ma.getMethod() = m
-    |
-      ma.getArgument(0) = sink.asExpr()
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "set-hostname") }
 
   override predicate isBarrier(DataFlow::Node barrier) {
     // ignore nodes that are in functions that intentionally disable hostname verification
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -207,7 +207,10 @@ private predicate sinkModelCsv(string row) {
       "java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",
       "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file",
       // Bean validation
-      "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation"
+      "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation",
+      // Set hostname
+      "javax.net.ssl;HttpsURLConnection;true;setDefaultHostnameVerifier;;;Argument[0];set-hostname",
+      "javax.net.ssl;HttpsURLConnection;true;setHostnameVerifier;;;Argument[0];set-hostname"
     ]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,10 @@ private predicate sinkModelCsv(string row) {`
`207`	`207`	`"java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",`
`208`	`208`	`"java.nio.file;Files;false;createTempFile;;;Argument[0];create-file",`
`209`	`209`	`// Bean validation`
`210`		`- "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation"`
	`210`	`+ "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation",`
	`211`	`+ // Set hostname`
	`212`	`+ "javax.net.ssl;HttpsURLConnection;true;setDefaultHostnameVerifier;;;Argument[0];set-hostname",`
	`213`	`+ "javax.net.ssl;HttpsURLConnection;true;setHostnameVerifier;;;Argument[0];set-hostname"`
`211`	`214`	`]`
`212`	`215`	`}`
`213`	`216`