-
Notifications
You must be signed in to change notification settings - Fork 668
/
WeakSSLContextCheck.java
143 lines (128 loc) · 6.05 KB
/
WeakSSLContextCheck.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
/*
* SonarQube Java
* Copyright (C) 2012-2024 SonarSource SA
* mailto:info AT sonarsource DOT com
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 3 of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
package org.sonar.java.checks;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import org.sonar.check.Rule;
import org.sonar.java.model.ExpressionUtils;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.JavaFileScannerContext;
import org.sonar.plugins.java.api.semantic.MethodMatchers;
import org.sonar.plugins.java.api.tree.Arguments;
import org.sonar.plugins.java.api.tree.ExpressionTree;
import org.sonar.plugins.java.api.tree.IdentifierTree;
import org.sonar.plugins.java.api.tree.MemberSelectExpressionTree;
import org.sonar.plugins.java.api.tree.MethodInvocationTree;
import org.sonar.plugins.java.api.tree.Tree;
@Rule(key = "S4423")
public class WeakSSLContextCheck extends IssuableSubscriptionVisitor {
private static final String ISSUE_MESSAGE = "Change this code to use a stronger protocol.";
private static final String SECONDARY_LOCATION_MESSAGE = "Other weak protocol.";
private static final Set<String> STRONG_PROTOCOLS = new HashSet<>(Arrays.asList("TLSv1.2", "DTLSv1.2", "TLSv1.3", "DTLSv1.3"));
private static final Set<String> STRONG_AFTER_JAVA_8 = new HashSet<>(Arrays.asList("TLS", "DTLS"));
private static final Set<String> WEAK_FOR_OK_HTTP = new HashSet<>(Arrays.asList("TLSv1", "TLSv1.1", "TLS_1_0", "TLS_1_1"));
private static final Set<String> WEAK_FOR_SET_ENABLED_PROTOCOLS = new HashSet<>(Set.of("TLSv1.0", "TLSv1.1"));
private static final MethodMatchers SSLCONTEXT_GETINSTANCE_MATCHER = MethodMatchers.create()
.ofTypes("javax.net.ssl.SSLContext")
.names("getInstance")
.withAnyParameters()
.build();
private static final MethodMatchers OK_HTTP_TLS_VERSION = MethodMatchers.create()
.ofTypes("okhttp3.ConnectionSpec$Builder")
.names("tlsVersions")
.withAnyParameters()
.build();
private static final MethodMatchers OPTIONS_ENABLED_PROTOCOLS = MethodMatchers.create()
.ofTypes("org.springframework.boot.autoconfigure.ssl.SslBundleProperties$Options")
.names("setEnabledProtocols")
.addParametersMatcher("java.util.Set")
.build();
private boolean javaVersionNotSetOr8OrHigher;
@Override
public void setContext(JavaFileScannerContext context) {
javaVersionNotSetOr8OrHigher = context.getJavaVersion().isJava8Compatible();
super.setContext(context);
}
@Override
public List<Tree.Kind> nodesToVisit() {
return Collections.singletonList(Tree.Kind.METHOD_INVOCATION);
}
@Override
public void visitNode(Tree tree) {
MethodInvocationTree mit = (MethodInvocationTree) tree;
Arguments arguments = mit.arguments();
if (SSLCONTEXT_GETINSTANCE_MATCHER.matches(mit)) {
ExpressionTree firstArgument = arguments.get(0);
firstArgument.asConstant(String.class).ifPresent(protocol -> {
if (!isStrongProtocol(protocol)) {
reportIssue(firstArgument, ISSUE_MESSAGE);
}
});
} else if (OK_HTTP_TLS_VERSION.matches(mit)) {
List<ExpressionTree> unsecureVersions = getUnsecureVersionsInArguments(arguments);
if (!unsecureVersions.isEmpty()) {
List<JavaFileScannerContext.Location> secondaries = unsecureVersions.stream()
.skip(1)
.map(secondary -> new JavaFileScannerContext.Location(SECONDARY_LOCATION_MESSAGE, secondary))
.toList();
reportIssue(unsecureVersions.get(0), ISSUE_MESSAGE, secondaries, null);
}
} else if (OPTIONS_ENABLED_PROTOCOLS.matches(mit)) {
ExpressionTree argument = arguments.get(0);
if (argument instanceof MethodInvocationTree methodInvocation) {
List<JavaFileScannerContext.Location> secondaryLocations = methodInvocation.arguments().stream()
.filter(arg -> {
var argValue = ExpressionUtils.resolveAsConstant(arg);
return argValue != null && WEAK_FOR_SET_ENABLED_PROTOCOLS.contains(argValue);
})
.map(arg -> new JavaFileScannerContext.Location(SECONDARY_LOCATION_MESSAGE, arg))
.toList();
if (!secondaryLocations.isEmpty()) {
reportIssue(((MemberSelectExpressionTree) mit.methodSelect()).identifier(), ISSUE_MESSAGE, secondaryLocations, null);
}
}
}
}
private boolean isStrongProtocol(String protocol) {
// A project with a version not set is very likely to be >= Java 8
return STRONG_PROTOCOLS.contains(protocol) || (javaVersionNotSetOr8OrHigher && STRONG_AFTER_JAVA_8.contains(protocol));
}
private static List<ExpressionTree> getUnsecureVersionsInArguments(Arguments arguments) {
return arguments.stream()
.filter(WeakSSLContextCheck::isUnsecureVersion)
.toList();
}
private static boolean isUnsecureVersion(ExpressionTree expressionTree) {
String argumentValue = null;
Optional<String> stringArgument = expressionTree.asConstant(String.class);
if (stringArgument.isPresent()) {
argumentValue = stringArgument.get();
} else if (expressionTree.is(Tree.Kind.IDENTIFIER)) {
argumentValue = ((IdentifierTree) expressionTree).name();
} else if (expressionTree.is(Tree.Kind.MEMBER_SELECT)) {
argumentValue = ((MemberSelectExpressionTree) expressionTree).identifier().name();
}
return WEAK_FOR_OK_HTTP.contains(argumentValue);
}
}