Add SECURITY_PROTOCOL check

luchua-bc · luchua-bc · commit babe744a3011 · 2021-01-13T03:49:08.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -89,22 +89,36 @@ predicate isProviderUrlSetter(MethodAccess ma) {
 }
 
 /**
- * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
+ * Holds if `ma` sets `fieldValue` with attribute name `fieldName` to `envValue` in some `Hashtable`.
  */
-predicate isSimpleAuthEnv(MethodAccess ma) {
+bindingset[fieldName, fieldValue, envValue]
+predicate hasEnvWithValue(MethodAccess ma, string fieldName, string fieldValue, string envValue) {
   ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
   (ma.getMethod().hasName("put") or ma.getMethod().hasName("setProperty")) and
   (
-    ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() =
-      "java.naming.security.authentication"
+    ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = fieldValue
     or
     exists(Field f |
       ma.getArgument(0) = f.getAnAccess() and
-      f.hasName("SECURITY_AUTHENTICATION") and
+      f.hasName(fieldName) and
       f.getDeclaringType() instanceof TypeNamingContext
     )
   ) and
-  ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = "simple"
+  ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = envValue
+}
+
+/**
+ * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
+ */
+predicate isSimpleAuthEnv(MethodAccess ma) {
+  hasEnvWithValue(ma, "SECURITY_AUTHENTICATION", "java.naming.security.authentication", "simple")
+}
+
+/**
+ * Holds if `ma` sets `java.naming.security.protocol` (also known as `Context.SECURITY_PROTOCOL`) to `ssl` in some `Hashtable`.
+ */
+predicate isSSLEnv(MethodAccess ma) {
+  hasEnvWithValue(ma, "SECURITY_PROTOCOL", "java.naming.security.protocol", "ssl")
 }
 
 /**
@@ -124,6 +138,10 @@ class LdapAuthFlowConfig extends TaintTracking::Configuration {
       exists(MethodAccess sma |
         sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
         isSimpleAuthEnv(sma)
+      ) and
+      not exists(MethodAccess sma |
+        sma.getQualifier() = pma.getQualifier().(VarAccess).getVariable().getAnAccess() and
+        isSSLEnv(sma)
       )
     )
   }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@@ -1,19 +1,19 @@
 edges
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl |
-| InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl |
-| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:47:100:53 | ldapUrl |
+| InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl |
+| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl |
 nodes
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
 | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | semmle.label | ldapUrl |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
 | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | semmle.label | ldapUrl |
-| InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:85:41:85:47 | ldapUrl | semmle.label | ldapUrl |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:100:47:100:53 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:100:41:100:47 | ldapUrl | semmle.label | ldapUrl |
+| InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
+| InsecureLdapAuth.java:115:47:115:53 | ldapUrl | semmle.label | ldapUrl |
 #select
 | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
 | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:25:20:25:39 | ... + ... | LDAP connection string |
-| InsecureLdapAuth.java:85:41:85:47 | ldapUrl | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:85:41:85:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:81:20:81:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
-| InsecureLdapAuth.java:100:47:100:53 | ldapUrl | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:47:100:53 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:100:41:100:47 | ldapUrl | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
+| InsecureLdapAuth.java:115:47:115:53 | ldapUrl | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl | Insecure LDAP authentication from $@. | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" | LDAP connection string |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.java
@@ -48,6 +48,21 @@ public void testSslLdapAuth(String ldapUserName, String password) {
 		DirContext dirContext = new InitialDirContext(environment);
 	}
 
+	// GOOD - Test LDAP authentication over SSL.
+	public void testSslLdapAuth2(String ldapUserName, String password) {
+		String ldapUrl = "ldap://ad.your-server.com:636";
+		Hashtable<String, String> environment = new Hashtable<String, String>();
+		environment.put(Context.INITIAL_CONTEXT_FACTORY,
+			"com.sun.jndi.ldap.LdapCtxFactory");
+		environment.put(Context.PROVIDER_URL, ldapUrl);
+		environment.put(Context.REFERRAL, "follow");
+		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+		environment.put(Context.SECURITY_CREDENTIALS, password);
+		environment.put(Context.SECURITY_PROTOCOL, "ssl");
+		DirContext dirContext = new InitialDirContext(environment);
+	}
+
 	// GOOD - Test LDAP authentication with SASL authentication.
 	public void testSaslLdapAuth(String ldapUserName, String password) {
 		String ldapUrl = "ldap://ad.your-server.com:389";
