[SONARKT-4] Rule S5527 Server hostnames should be verified during SSL/TLS connections - SonarSource

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0
Component/s: None
Labels:
- Rules

Description

New rule to implement

Like for the same rule in Java, should raise when verify implementation from the HostnameVerifier interface always return true:

builder.hostnameVerifier(object : HostnameVerifier {
                override fun verify(hostname: String?, session: SSLSession?): Boolean {
                    return true // Noncompliant (s5527)
                }
            })

builder.hostnameVerifier(object : HostnameVerifier {
                override fun verify(hostname: String?, session: SSLSession?): Boolean { // Compliant
                    if(something()) {
                        return false
                    } else {
                        return true
                    }
                }
            })

Code examples: https://github.com/SonarSource/security-expected-issues/pull/418

Attachments

Issue Links

implements

RSPEC-5527 Server hostnames should be verified during SSL/TLS connections

Active

Activity

People

Assignee:: Margarita Nedzelska

Reporter:: Eric Therond (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 14/May/21

Created:: 19/Apr/21 8:40 AM

Updated:: 28/May/21 2:55 PM

Resolved:: 14/May/21 3:08 PM