use hardCode

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java

@@ -19,6 +19,14 @@ public void bad1(HttpServletRequest request) {
         }
     }
 
+    @GetMapping(value = "bad2")
+    public void bad2(HttpServletRequest request) {
+        String ip = getClientIP();
+        if (!"127.0.0.1".equals(ip)) {
+            new Exception("ip illegal");
+        }
+    }
+
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp

@@ -16,7 +16,7 @@ bypass a ban-list, for example.</p>
 <example>
 
 <p>The following examples show the bad case and the good case respectively.
-In the <code>bad1</code> method, the client ip the <code>X-Forwarded-For</code> is split into comma-separated values, but the less-trustworthy first one is used. Both of these examples could be deceived by providing a forged HTTP header. The method
+In <code>bad1</code> method and <code>bad2</code> method, the client ip the <code>X-Forwarded-For</code> is split into comma-separated values, but the less-trustworthy first one is used. Both of these examples could be deceived by providing a forged HTTP header. The method
 <code>good1</code> similarly splits an <code>X-Forwarded-For</code> value, but uses the last, more-trustworthy entry.</p>
 
 <sample src="UseOfLessTrustedSource.java" />

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql

@@ -36,8 +36,6 @@ class UseOfLessTrustedSourceConfig extends TaintTracking::Configuration {
       not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0
     )
     or
-    node.getType().hasName("Object")
-    or
     node.getType() instanceof PrimitiveType
     or
     node.getType() instanceof BoxedType

java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll

@@ -1,5 +1,6 @@
 import java
 import DataFlow
+import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.QueryInjection
 import experimental.semmle.code.java.Logging
 
@@ -40,14 +41,10 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getNumberOfParameters() = 1 and
       (
         ma.getArgument(0) = this.asExpr() and
-        not ma.getQualifier().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-            "", "unknown", ":"
-          ]
+        ma.getQualifier().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
         or
         ma.getQualifier() = this.asExpr() and
-        not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-            "", "unknown", ":"
-          ]
+        ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
       )
     )
     or
@@ -56,9 +53,10 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getDeclaringType() instanceof TypeString and
       ma.getMethod().getNumberOfParameters() = 1 and
       ma.getQualifier() = this.asExpr() and
-      not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-          "", "unknown"
-        ]
+      ma.getAnArgument()
+          .(CompileTimeConstantExpr)
+          .getStringValue()
+          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$")
     )
     or
     exists(MethodAccess ma |
@@ -68,7 +66,10 @@ private class CompareSink extends UseOfLessTrustedSink {
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
       ma.getAnArgument() = this.asExpr() and
-      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() != ""
+      ma.getAnArgument()
+          .(CompileTimeConstantExpr)
+          .getStringValue()
+          .regexpMatch("^((10\\.((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?)|(192\\.168\\.)|172\\.(1[6789]|2[0-9]|3[01])\\.)((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)(\\.)?((1\\d{2})?|(2[0-4]\\d)?|(25[0-5])?|([1-9]\\d|[0-9])?)$")
     )
     or
     exists(MethodAccess ma |
@@ -78,9 +79,7 @@ private class CompareSink extends UseOfLessTrustedSink {
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
       ma.getAnArgument() = this.asExpr() and
-      not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
-          "", "unknown", ":"
-        ]
+      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
     )
   }
 }

java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.expected

@@ -1,11 +1,16 @@
 edges
 | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip |
-| UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String |
-| UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String | UseOfLessTrustedSource.java:25:33:25:34 | ip |
+| UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String |
+| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String |
 nodes
 | UseOfLessTrustedSource.java:16:21:16:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
 | UseOfLessTrustedSource.java:17:37:17:38 | ip | semmle.label | ip |
-| UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
-| UseOfLessTrustedSource.java:41:16:41:37 | ...[...] : String | semmle.label | ...[...] : String |
+| UseOfLessTrustedSource.java:24:21:24:33 | getClientIP(...) : String | semmle.label | getClientIP(...) : String |
+| UseOfLessTrustedSource.java:25:33:25:34 | ip | semmle.label | ip |
+| UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| UseOfLessTrustedSource.java:49:16:49:37 | ...[...] : String | semmle.label | ...[...] : String |
 #select
-| UseOfLessTrustedSource.java:17:37:17:38 | ip | UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:37:27:37:62 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:17:37:17:38 | ip | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:17:37:17:38 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) | this user input |
+| UseOfLessTrustedSource.java:25:33:25:34 | ip | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) : String | UseOfLessTrustedSource.java:25:33:25:34 | ip | IP address spoofing might include code from $@. | UseOfLessTrustedSource.java:45:27:45:62 | getHeader(...) | this user input |

java/ql/test/experimental/query-tests/security/CWE-348/UseOfLessTrustedSource.java

@@ -19,6 +19,14 @@ public void bad1(HttpServletRequest request) {
         }
     }
 
+    @GetMapping(value = "bad2")
+    public void bad2(HttpServletRequest request) {
+        String ip = getClientIP();
+        if (!"127.0.0.1".equals(ip)) {
+            new Exception("ip illegal");
+        }
+    }
+
     @GetMapping(value = "good1")
     @ResponseBody
     public String good1(HttpServletRequest request) {