rspec/rules/S3510/java/rule.adoc

== Why is this an issue?

To prevent URL spoofing, ``++HostnameVerifier.verify()++`` methods should do more than simply ``++return true++``. Doing so may get you quickly past an exception, but that comes at the cost of opening a security hole in your application. 


=== Noncompliant code example

[source,java]
----
SSLContext sslcontext = SSLContext.getInstance( "TLS" );
sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
  public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
  public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
  public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }

}}, new java.security.SecureRandom());

Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
  @Override
  public boolean verify(String requestedHost, SSLSession remoteServerSession) {
    return true;  // Noncompliant
  }
}).build();
----


=== Compliant solution

[source,java]
----
SSLContext sslcontext = SSLContext.getInstance( "TLSv1.2" );
sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
  @Override
  public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
  @Override
  public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
  @Override
  public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }

}}, new java.security.SecureRandom());

Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
  @Override
  public boolean verify(String requestedHost, SSLSession remoteServerSession) {
    return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); // Compliant
  }
}).build();
----


== Resources

* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER[WEAK_HOSTNAME_VERIFIER]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Do not unconditionally return true in this method.


=== Highlighting

return statement


'''
== Comments And Links
(visible only on this page)

=== on 5 Mar 2018, 15:16:24 Alexandre Gigleux wrote:
There is no SEI CERT ID for this one in \https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			To prevent URL spoofing, ``++HostnameVerifier.verify()++`` methods should do more than simply ``++return true++``. Doing so may get you quickly past an exception, but that comes at the cost of opening a security hole in your application.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`SSLContext sslcontext = SSLContext.getInstance( "TLS" );`
			`sslcontext.init(null, new TrustManager[]{new X509TrustManager() {`
			`public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}`
			`public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}`
			`public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }`

			`}}, new java.security.SecureRandom());`

			`Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {`
			`@Override`
			`public boolean verify(String requestedHost, SSLSession remoteServerSession) {`
			`return true; // Noncompliant`
			`}`
			`}).build();`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`SSLContext sslcontext = SSLContext.getInstance( "TLSv1.2" );`
			`sslcontext.init(null, new TrustManager[]{new X509TrustManager() {`
			`@Override`
			`public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}`
			`@Override`
			`public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}`
			`@Override`
			`public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }`

			`}}, new java.security.SecureRandom());`

			`Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {`
			`@Override`
			`public boolean verify(String requestedHost, SSLSession remoteServerSession) {`
			`return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); // Compliant`
			`}`
			`}).build();`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]`
			`* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER[WEAK_HOSTNAME_VERIFIER]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Do not unconditionally return true in this method.`


			`=== Highlighting`

			`return statement`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 5 Mar 2018, 15:16:24 Alexandre Gigleux wrote:`
			`There is no SEI CERT ID for this one in \https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`