Skip to content

Conversation

@Sim4n6
Copy link
Contributor

@Sim4n6 Sim4n6 commented May 2, 2023

This pull request adds a Unicode Bypass Validation (UBV) query, tests, and the help file.

The UBV query checks for a Post-Unicode Normalization in a Java codebase that leads to some security issues such as the bypasses of a String validation, regex verification, and escape functions.

@github-actions
Copy link
Contributor

QHelp previews:

java/ql/src/experimental/Security/CWE/CWE-176/UnicodeBypassValidation.qhelp

Bypass Logical Validation Using Unicode Characters

Security checks bypass due to a Unicode transformation

If ever a unicode tranformation is performed after some security checks or logical validation, the latter could be bypassed due to a potential Unicode characters collision. The validation of concern are any character escaping, any regex validation or any string verification.

Security checks bypassed

Recommendation

Perform a Unicode normalization before the logical validation.

Example

The following example showcases the bypass of all checks performed by flask.escape() due to a post-unicode normalization.

For instance: the character U+FE64 () is not filtered-out by the flask escape function. But due to the Unicode normalization, the character is transformed and would become U+003C (< ).

import java.text.Normalizer;

public class BadExampleBypassEscape extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        String inputEncoded = encodeForHtml(request.getParameter("input"));
        String output = Normalizer.normalize(inputEncoded, Normalizer.Form.NFKC);
        response.getWriter().write(output);
    }

    static String encodeForHtml(String text) {
        return text.replace("<", "&lt;");
    }
}

References

@Sim4n6 Sim4n6 requested a review from smowton July 14, 2023 07:18
Copy link
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests: I recommend adding at least one example exercising the Pattern.compile route, and at least one good (safe) example that the query should not flag, despite containing a unicode normalization call.

@Sim4n6 Sim4n6 requested a review from smowton July 16, 2023 06:02
@Sim4n6 Sim4n6 requested a review from smowton July 17, 2023 12:26
@smowton
Copy link
Contributor

smowton commented Jul 17, 2023

Looks sensible to me. Next step is to supply a CVE to the security lab and for them to pursue their review from a security point of view (cf mine from a QL engineering point of view)

@smowton
Copy link
Contributor

smowton commented Dec 19, 2023

Please rebase on latest main so we can rerun CI now this is pending merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants