[Java] CWE-348: Using a client-supplied IP address in a security check

[haby0]

If an application trusts an HTTP request header like X-Forwarded-For to accurately specify the remote IP address of the connecting client.

[intrigus-lgtm]

What happened to @Component?
https://github.com/spring-projects/spring-framework/blob/v5.2.3.RELEASE/spring-context/src/main/java/org/springframework/stereotype/Controller.java

[haby0]

Thanks for reminding

[smowton]

If we're treating returning as a sink we might as well flag any use of X-Forwarded-For except splitting and taking the rightmost value.

[haby0]

The result of return as a sink, I think the method is a util method, this usage is common.

[smowton]

Right, but you don't care about what is done with it subsequently? This is so general that there's almost no point checking how it is used at all.

[haby0]

If so, I think there is a problem as long as there is a place to call this method. If you consider what to do with the result of the client ip method, I think there will be a false negative rate. What do you think?

[smowton]

What uses do you actually consider dangerous, besides logging?

[haby0]

In addition to local output or log records, there are also user authentication based on client ip, database storage, etc., but their use is not unique, so I think it is impossible to standardize the definition.

[haby0]

Can we let the security-lab review it together?

[haby0]

E.g:

• The client ip detects whether there is login permission: UserServiceImpl
• Limit the number of logins for the client ip, which is common in scenarios such as blasting and ticketing: CaptchaService
• Insert the database as a record: LogDB
• Save it in JavaBean and insert into the database: MenuController

[smowton]

I can, but as this stands I would have to warn them that the query will produce really strange results:

• Directly used in logging call: positive
• Directly used in a rate-limiter: negative
• Directly returned: positive
• Returned in a field: negative

A user of this query would be very confused, because their expectation is that the way the value is used is the important thing, not trivial aspects of dataflow like is it returned from a function or used in function-local scope.

I would recommend you find some e.g. rate-limiting utility that would constitute a dangerous way to use this identifier. Alternatively you can choose to send this to the security lab with the health warning attached.

[haby0]

Thank you, I agree to let them know the current situation, and I also want to listen to their suggestions, so as to implement a changed query.

[smowton]

Perhaps provide a link regarding how you chose this list of header values?

[haby0]

Reference:

• github
• memorynotfound

[smowton]

Explain what you're intending to do here? Should this suppress some warnings completely, or just prevent repeated warnings in the same function?

[haby0]

Ensure that x-forwarded-for is the first to be obtained in the method of obtaining client ip.

[smowton]

Explain why you're using these headers for xffIsFirstGet but only X-Forwarded-For in the main query?

[haby0]

This is related to the xffIsFirstGet predicate.

[smowton]

Right, but why are you checking for all these possibilities here, but only X-Forwarded-For in UseOfLessTrustedSource? What is special about that header that means you trust it less than X-Real-IP for instance?

[haby0]

Yes, and X-Forwarded-For has a high usage rate.

[smowton]

Why are you only considering X-Forwarded-For a source of error? Isn't X-Real-IP exactly the same? I don't understand why you consider all 5 for the purposes of finding out if this is the first check in this function, but only one for the source.

[haby0]

X-Forwarded-For is a superposition process when used, format: client, proxy1, proxy2. X-Real-IP is a process of coverage when in use.

[smowton]

Right, which is why you suppose that taking the right-most comma-separated piece of X-Forwarded-For might be safer than the left-most. If X-Real-IP doesn't get used that way then it's simply always dangerous to trust, right? But at the moment we treat it as always safe?

[haby0]

Thank you for reviewing my pr.

You are right. But I still find it weird, regarding the questions here and above, I would like to hear the opinions of security-lab. Hope you can understand.

[smowton]

Suggested change

	not aa.getIndexExpr().toString() = "0"
	not aa.getIndexExpr().(CompileTimeConstantExpr).getIntValue() = 0

[smowton]

After discussing with colleages, I have decided I will reject this PR unless you can replace the highly-general ReturnValue sink with something more precise which you believe represents a hazardous use of an untrustworthy header. Otherwise this query is not much better than flagging any getHeader("X-Forwarded-For"), which can be achieved with much simpler tools than CodeQL.

[haby0]

After discussing with colleages, I have decided I will reject this PR unless you can replace the highly-general ReturnValue sink with something more precise which you believe represents a hazardous use of an untrustworthy header. Otherwise this query is not much better than flagging any getHeader("X-Forwarded-For"), which can be achieved with much simpler tools than CodeQL.

I will try to find the accurate sink from github. In addition, I want to know if the source needs to be changed here?

[smowton]

I would strongly advise to use the same list of headers that specify a remote endpoint identifier (X-Forwarded-For, X-Real-IP, ...) as you used elsewhere in this PR. X-Forwarded-For only differs in that it is sometimes possible to comma-split it and so retrieve a safe(r) version of it.

[haby0]

I would strongly advise to use the same list of headers that specify a remote endpoint identifier (X-Forwarded-For, X-Real-IP, ...) as you used elsewhere in this PR. X-Forwarded-For only differs in that it is sometimes possible to comma-split it and so retrieve a safe(r) version of it.

Thank you for your suggestion, I will reflect it in the next version.

[haby0]

There are several changes in this revision:

• Modify source, add remote endpoint identifier.
• Modify sink. Including: log operation, if condition (excluding the null value judgment of client ip), sql operation (using QueryInjectionSink directly), local output.

lgtm result for reference.

[smowton]

This is still a very very broad sink. I would much rather we looked for specific patterns we think are dangerous (for example, the startsWith condition you describe in the comment than to just exclude 7 or 8 cases you think are probably FPs and flag every other if statement.

If we look positively for suspicious usage, we can also avoid insisting the expression occurs directly with an if statement -- instead the sink is simply any startsWith(...) call, or an .equals with a non-blank right-hand side, or similar.

[haby0]

It works for structr, it's just such an unprincipled discriminator that I don't really want to commit this to our codebase. It wouldn't make any sense to anyone using the query -- this one is regarded as bad, and this one as good, because you used a String or Object-typed variable somewhere?

The Object type restriction on Node is currently only for the structr project. I haven't found it in other projects for the time being.

[kevinbackhouse]

My recommendation for improving the query is to restrict it so that it only flags cases like this one:

https://lgtm.com/projects/g/heathcare/heathcare/snapshot/a76e38b839a1fd02a12996c07bb70d33c1a38915/files/src/main/java/com/glaf/base/filter/PermissionFilter.java?sort=name&dir=ASC&mode=heatmap#x762b35b7412f98f6:1

In other words, only flag if-conditions that contain a hard-coded IP address: "192.168.0", "127.0.0", etc. Those are the places where an attacker has a higher chance of an authentication bypass by sending a spoofed IP address in the X-Forwarded-For field.

[haby0]

My recommendation for improving the query is to restrict it so that it only flags cases like this one:

https://lgtm.com/projects/g/heathcare/heathcare/snapshot/a76e38b839a1fd02a12996c07bb70d33c1a38915/files/src/main/java/com/glaf/base/filter/PermissionFilter.java?sort=name&dir=ASC&mode=heatmap#x762b35b7412f98f6:1

In other words, only flag if-conditions that contain a hard-coded IP address: "192.168.0", "127.0.0", etc. Those are the places where an attacker has a higher chance of an authentication bypass by sending a spoofed IP address in the X-Forwarded-For field.

This will have a false negative.

@smowton What is your suggestion on this?

[smowton]

That looks pretty precise. Implement it and let's test it?

[haby0]

That looks pretty precise. Implement it and let's test it?

[haby0]

That looks pretty precise. Implement it and let's test it?

ok

[haby0]

That looks pretty precise. Implement it and let's test it?

Please review.

https://lgtm.com/query/4289318833195816514/

[smowton]

Made an all-projects run of this for the security lab to look at

[haby0]

https://lgtm.com/query/2268755143253610690/

[kevinbackhouse]

Thanks. The results are looking much better now. There is just one false positive pattern that seems to come up a lot:

"0:0:0:0:0:0:0:1".equals(ip) ? "127.0.0.1" : ip;

Examples:

• https://lgtm.com/projects/g/zhangyp1/demo/snapshot/62dfd4ded70fdeae6d4ed39b268cdb2b0eb04f68/files/opslabJutil-master/src/main/java/com/opslab/helper/HttpRequestHelper.java?sort=name&dir=ASC&mode=heatmap#x55ca8e92fb877ffc:1
• https://lgtm.com/projects/g/lizhiguoemail/bandian/snapshot/bcfeced4557bb67db7b6894867ef3f9e437775a3/files/src/main/java/com/lhsz/bandian/utils/IpUtils.java?sort=name&dir=ASC&mode=heatmap#x3a7fdd641de011ed:1

So it might be worth adding special case for that pattern, but otherwise I am happy with this now.

[haby0]

Thanks. The results are looking much better now. There is just one false positive pattern that seems to come up a lot:

"0:0:0:0:0:0:0:1".equals(ip) ? "127.0.0.1" : ip;

Examples:

• https://lgtm.com/projects/g/zhangyp1/demo/snapshot/62dfd4ded70fdeae6d4ed39b268cdb2b0eb04f68/files/opslabJutil-master/src/main/java/com/opslab/helper/HttpRequestHelper.java?sort=name&dir=ASC&mode=heatmap#x55ca8e92fb877ffc:1
• https://lgtm.com/projects/g/lizhiguoemail/bandian/snapshot/bcfeced4557bb67db7b6894867ef3f9e437775a3/files/src/main/java/com/lhsz/bandian/utils/IpUtils.java?sort=name&dir=ASC&mode=heatmap#x3a7fdd641de011ed:1

So it might be worth adding special case for that pattern, but otherwise I am happy with this now.

I made a modification to this false positive, please review the lgtm result.

https://lgtm.com/query/2916758049910443110/
https://lgtm.com/query/2367742774803333177/

[smowton]

Rename "UseOfLessTrustedSource" -> "ClientSuppliedIpUsedInSecurityCheck" everywhere, including filenames and class names.

[smowton]

Factor the regex out into something like

string getIpAddressRegex() { result = ... }

[haby0]

https://lgtm.com/query/5856626224614437538/
https://lgtm.com/query/8934149255622582580/

[haby0]

@smowton @kevinbackhouse thanks.