Merge pull request #16761 from owen-mc/java/reverse-dns-get-loopback-address

Java: Exclude loopback address from reverse DNS source

Author: owen-mc

java/ql/lib/change-notes/2024-06-14-exclude-loopback-from-reverse-dns.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Excluded reverse DNS from the loopback address as a source of untrusted data.

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

@@ -126,7 +126,7 @@ private class ReverseDnsSource extends RemoteFlowSource {
       m.getMethod() instanceof ReverseDnsMethod and
       not exists(MethodCall l |
         (variableStep(l, m.getQualifier()) or l = m.getQualifier()) and
-        l.getMethod().getName() = "getLocalHost"
+        (l.getMethod().getName() = "getLocalHost" or l.getMethod().getName() = "getLoopbackAddress")
       )
     )
   }

java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java

@@ -38,7 +38,7 @@ public static void main(HttpServletRequest request) throws Exception {
 		}
 
 		// FALSE NEGATIVE: we have no way of telling that the skipped method is sensitive
-		if (adminCookie.getValue() == "false") // $ MISSING: $ hasConditionalBypassTest
+		if (adminCookie.getValue() == "false") // $ MISSING: hasConditionalBypassTest
 			doReallyImportantSecurityWork();
 
 		InetAddress local = InetAddress.getLocalHost();
@@ -49,6 +49,15 @@ public static void main(HttpServletRequest request) throws Exception {
 		if (Inet4Address.getLocalHost().getCanonicalHostName().equals("localhost")) {
 			login(user, password);
 		}
+
+		InetAddress loopback = InetAddress.getLoopbackAddress();
+		// GOOD: reverse DNS on loopback address is fine
+		if (loopback.getCanonicalHostName().equals("localhost")) {
+			login(user, password);
+		}
+		if (Inet4Address.getLoopbackAddress().getCanonicalHostName().equals("localhost")) {
+			login(user, password);
+		}
 	}
 
 	public static void test(String user, String password) {