Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3510

"HostnameVerifier.verify" should not always return true

    Details

    • Type: Vulnerability Detection
    • Status: Deprecated
    • Resolution: Unresolved
    • Labels:
      None
    • Message:
      Do not unconditionally return true in this method.
    • Highlighting:
      Hide

      return statement

      Show
      return statement
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Scope:
      Main Sources

      Description

      To prevent URL spoofing, HostnameVerifier.verify() methods should do more than simply return true. Doing so may get you quickly past an exception, but that comes at the cost of opening a security hole in your application.

      Noncompliant Code Example

      SSLContext sslcontext = SSLContext.getInstance( "TLS" );
      sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
        public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
        public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
      
      }}, new java.security.SecureRandom());
      
      Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
        @Override
        public boolean verify(String requestedHost, SSLSession remoteServerSession) {
          return true;  // Noncompliant
        }
      }).build();
      

      Compliant Solution

      SSLContext sslcontext = SSLContext.getInstance( "TLSv1.2" );
      sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
        @Override
        public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
        @Override
        public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
        @Override
        public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
      
      }}, new java.security.SecureRandom());
      
      Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
        @Override
        public boolean verify(String requestedHost, SSLSession remoteServerSession) {
          return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); // Compliant
        }
      }).build();
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: