Add UnsafeHostnameVerificationQuery

Author: egregius313

java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md

@@ -10,4 +10,5 @@ category: minorAnalysis
 * Added the `ExecTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow.
 * Added the `StackTraceExposureQuery.qll` library to provide the `printsStackExternally`, `stringifiedStackFlowsExternally`, and `getMessageFlowsExternally` predicates to reason about stack trace exposure vulnerabilities.
 * Added the `SqlTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToSqlFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow.
-* Added the `ResponseSplittingLocalQuery.qll` library to provide the `ResponseSplittingLocalFlow` taint-tracking module to reason about response splitting vulnerabilities caused by local data flow.
+* Added the `ResponseSplittingLocalQuery.qll` library to provide the `ResponseSplittingLocalFlow` taint-tracking module to reason about response splitting vulnerabilities caused by local data flow.
+* Added the `UnsafeHostnameVerificationQuery.qll` library to provide the `TrustAllHostnameVerifierFlow` taint-tracking module to reason about insecure hostname verification vulnerabilities.

java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll

@@ -0,0 +1,104 @@
+/** Provides predicates and dataflow configurations for reasoning about unsafe hostname verification. */
+
+import java
+private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.Encryption
+private import semmle.code.java.security.SecurityFlag
+private import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * Holds if `m` always returns `true` ignoring any exceptional flow.
+ */
+private predicate alwaysReturnsTrue(HostnameVerifierVerify m) {
+  forex(ReturnStmt rs | rs.getEnclosingCallable() = m |
+    rs.getResult().(CompileTimeConstantExpr).getBooleanValue() = true
+  )
+}
+
+/**
+ * A class that overrides the `javax.net.ssl.HostnameVerifier.verify` method and **always** returns `true` (though it could also exit due to an uncaught exception), thus
+ * accepting any certificate despite a hostname mismatch.
+ */
+class TrustAllHostnameVerifier extends RefType {
+  TrustAllHostnameVerifier() {
+    this.getAnAncestor() instanceof HostnameVerifier and
+    exists(HostnameVerifierVerify m |
+      m.getDeclaringType() = this and
+      alwaysReturnsTrue(m)
+    )
+  }
+}
+
+/**
+ * A configuration to model the flow of a `TrustAllHostnameVerifier` to a `set(Default)HostnameVerifier` call.
+ */
+module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof HostnameVerifierSink }
+
+  predicate isBarrier(DataFlow::Node barrier) {
+    // ignore nodes that are in functions that intentionally disable hostname verification
+    barrier
+        .getEnclosingCallable()
+        .getName()
+        /*
+         * Regex: (_)* :
+         * some methods have underscores.
+         * Regex: (no|ignore|disable)(strictssl|ssl|verify|verification|hostname)
+         * noStrictSSL ignoreSsl
+         * Regex: (set)?(accept|trust|ignore|allow)(all|every|any)
+         * acceptAll trustAll ignoreAll setTrustAnyHttps
+         * Regex: (use|do|enable)insecure
+         * useInsecureSSL
+         * Regex: (set|do|use)?no.*(check|validation|verify|verification)
+         * setNoCertificateCheck
+         * Regex: disable
+         * disableChecks
+         */
+
+        .regexpMatch("^(?i)(_)*((no|ignore|disable)(strictssl|ssl|verify|verification|hostname)" +
+            "|(set)?(accept|trust|ignore|allow)(all|every|any)" +
+            "|(use|do|enable)insecure|(set|do|use)?no.*(check|validation|verify|verification)|disable).*$")
+  }
+}
+
+/** Data flow to model the flow of a `TrustAllHostnameVerifier` to a `set(Default)HostnameVerifier` call. */
+module TrustAllHostnameVerifierFlow = DataFlow::Global<TrustAllHostnameVerifierConfig>;
+
+/**
+ * A sink that sets the `HostnameVerifier` on `HttpsURLConnection`.
+ */
+private class HostnameVerifierSink extends DataFlow::Node {
+  HostnameVerifierSink() { sinkNode(this, "set-hostname-verifier") }
+}
+
+/**
+ * Flags suggesting a deliberately unsafe `HostnameVerifier` usage.
+ */
+private class UnsafeHostnameVerificationFlag extends FlagKind {
+  UnsafeHostnameVerificationFlag() { this = "UnsafeHostnameVerificationFlag" }
+
+  bindingset[result]
+  override string getAFlagName() {
+    result
+        .regexpMatch("(?i).*(secure|disable|selfCert|selfSign|validat|verif|trust|ignore|nocertificatecheck).*") and
+    result != "equalsIgnoreCase"
+  }
+}
+
+/** Gets a guard that represents a (likely) flag controlling an unsafe `HostnameVerifier` use. */
+private Guard getAnUnsafeHostnameVerifierFlagGuard() {
+  result = any(UnsafeHostnameVerificationFlag flag).getAFlag().asExpr()
+}
+
+/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
+predicate isNodeGuardedByFlag(DataFlow::Node node) {
+  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
+    g = getASecurityFeatureFlagGuard() or g = getAnUnsafeHostnameVerifierFlagGuard()
+  )
+}

java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql

@@ -11,109 +11,9 @@
  */
 
 import java
-import semmle.code.java.controlflow.Guards
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.Encryption
-import semmle.code.java.security.SecurityFlag
-private import semmle.code.java.dataflow.ExternalFlow
-
-/**
- * Holds if `m` always returns `true` ignoring any exceptional flow.
- */
-private predicate alwaysReturnsTrue(HostnameVerifierVerify m) {
-  forex(ReturnStmt rs | rs.getEnclosingCallable() = m |
-    rs.getResult().(CompileTimeConstantExpr).getBooleanValue() = true
-  )
-}
-
-/**
- * A class that overrides the `javax.net.ssl.HostnameVerifier.verify` method and **always** returns `true` (though it could also exit due to an uncaught exception), thus
- * accepting any certificate despite a hostname mismatch.
- */
-class TrustAllHostnameVerifier extends RefType {
-  TrustAllHostnameVerifier() {
-    this.getAnAncestor() instanceof HostnameVerifier and
-    exists(HostnameVerifierVerify m |
-      m.getDeclaringType() = this and
-      alwaysReturnsTrue(m)
-    )
-  }
-}
-
-/**
- * A configuration to model the flow of a `TrustAllHostnameVerifier` to a `set(Default)HostnameVerifier` call.
- */
-module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof HostnameVerifierSink }
-
-  predicate isBarrier(DataFlow::Node barrier) {
-    // ignore nodes that are in functions that intentionally disable hostname verification
-    barrier
-        .getEnclosingCallable()
-        .getName()
-        /*
-         * Regex: (_)* :
-         * some methods have underscores.
-         * Regex: (no|ignore|disable)(strictssl|ssl|verify|verification|hostname)
-         * noStrictSSL ignoreSsl
-         * Regex: (set)?(accept|trust|ignore|allow)(all|every|any)
-         * acceptAll trustAll ignoreAll setTrustAnyHttps
-         * Regex: (use|do|enable)insecure
-         * useInsecureSSL
-         * Regex: (set|do|use)?no.*(check|validation|verify|verification)
-         * setNoCertificateCheck
-         * Regex: disable
-         * disableChecks
-         */
-
-        .regexpMatch("^(?i)(_)*((no|ignore|disable)(strictssl|ssl|verify|verification|hostname)" +
-            "|(set)?(accept|trust|ignore|allow)(all|every|any)" +
-            "|(use|do|enable)insecure|(set|do|use)?no.*(check|validation|verify|verification)|disable).*$")
-  }
-}
-
-module TrustAllHostnameVerifierFlow = DataFlow::Global<TrustAllHostnameVerifierConfig>;
-
+import semmle.code.java.security.UnsafeHostnameVerificationQuery
 import TrustAllHostnameVerifierFlow::PathGraph
 
-/**
- * A sink that sets the `HostnameVerifier` on `HttpsURLConnection`.
- */
-private class HostnameVerifierSink extends DataFlow::Node {
-  HostnameVerifierSink() { sinkNode(this, "set-hostname-verifier") }
-}
-
-/**
- * Flags suggesting a deliberately unsafe `HostnameVerifier` usage.
- */
-private class UnsafeHostnameVerificationFlag extends FlagKind {
-  UnsafeHostnameVerificationFlag() { this = "UnsafeHostnameVerificationFlag" }
-
-  bindingset[result]
-  override string getAFlagName() {
-    result
-        .regexpMatch("(?i).*(secure|disable|selfCert|selfSign|validat|verif|trust|ignore|nocertificatecheck).*") and
-    result != "equalsIgnoreCase"
-  }
-}
-
-/** Gets a guard that represents a (likely) flag controlling an unsafe `HostnameVerifier` use. */
-private Guard getAnUnsafeHostnameVerifierFlagGuard() {
-  result = any(UnsafeHostnameVerificationFlag flag).getAFlag().asExpr()
-}
-
-/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
-private predicate isNodeGuardedByFlag(DataFlow::Node node) {
-  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
-    g = getASecurityFeatureFlagGuard() or g = getAnUnsafeHostnameVerifierFlagGuard()
-  )
-}
-
 from
   TrustAllHostnameVerifierFlow::PathNode source, TrustAllHostnameVerifierFlow::PathNode sink,
   RefType verifier