New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Insecure JXBrowser #4945
Java: Insecure JXBrowser #4945
Conversation
java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.qhelp
Outdated
Show resolved
Hide resolved
It just came to my attention that this has been fixed in version 6.24. I will now detect version 6.24 by the existence of the |
java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
Outdated
Show resolved
Hide resolved
Could you also add a test using v6.24, to show this is correctly not flagged? By making your test project not reference the addBoundsListener method you can also ensure your detection method works when that method is not called. |
How can I use different stubs for different tests? The |
Two folders looks like the right option to me |
Adds a test for version 6.24, because that version is not vulnerable. The other test is for versions < 6.24, because these versions are vulnerable.
I've added tests for both versions. What do you think, would this query need major changes to become a non-experimental query? |
I don't think there's anything I'd change about the code; the only possible obstacle would be FPs if any |
java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
Outdated
Show resolved
Hide resolved
@smowton @aschackmull just checking, is there anything missing I should improve? |
Hmm, looks like some tests are failing. |
Looks like the alert message in the query doesn't match the expected output in the test. Also, the qhelp apparently fails to render:
|
Accept test output for changed alert message.
@aschackmull I hope I fixed both the QHelp and the tests. |
|
Sorry for all the back and forth. [2021-02-10 14:03:18] This is codeql generate query-help -vvv --log-to-stderr --output out.md --format markdown --search-path . -- java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.qhelp
[2021-02-10 14:03:18] Terminating normally. |
Definitely historical reasons. I'm unsure whether those reasons still apply, and it would be nice if it was automatic and public, so I'll raise the question internally. |
JXBrowser is a Java library that allows to embed the Chromium browser inside Java applications.
The version 6.x.x by default ignores any HTTPS certificate errors thereby allowing man-in-the-middle attacks.
This PR detects this case.