16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
82 lines
2.7 KiB
Plaintext
82 lines
2.7 KiB
Plaintext
== Why is this an issue?
|
|
|
|
To prevent URL spoofing, ``++HostnameVerifier.verify()++`` methods should do more than simply ``++return true++``. Doing so may get you quickly past an exception, but that comes at the cost of opening a security hole in your application.
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
SSLContext sslcontext = SSLContext.getInstance( "TLS" );
|
|
sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
|
|
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
|
|
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
|
|
public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
|
|
|
|
}}, new java.security.SecureRandom());
|
|
|
|
Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
|
|
@Override
|
|
public boolean verify(String requestedHost, SSLSession remoteServerSession) {
|
|
return true; // Noncompliant
|
|
}
|
|
}).build();
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,java]
|
|
----
|
|
SSLContext sslcontext = SSLContext.getInstance( "TLSv1.2" );
|
|
sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
|
|
@Override
|
|
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
|
|
@Override
|
|
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
|
|
@Override
|
|
public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
|
|
|
|
}}, new java.security.SecureRandom());
|
|
|
|
Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
|
|
@Override
|
|
public boolean verify(String requestedHost, SSLSession remoteServerSession) {
|
|
return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); // Compliant
|
|
}
|
|
}).build();
|
|
----
|
|
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
* https://cwe.mitre.org/data/definitions/295[MITRE, CWE-295] - Improper Certificate Validation
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER[WEAK_HOSTNAME_VERIFIER]
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Do not unconditionally return true in this method.
|
|
|
|
|
|
=== Highlighting
|
|
|
|
return statement
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 5 Mar 2018, 15:16:24 Alexandre Gigleux wrote:
|
|
There is no SEI CERT ID for this one in \https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java
|
|
|
|
endif::env-github,rspecator-view[]
|