-
Notifications
You must be signed in to change notification settings - Fork 1.9k
[Java] Add Unicode Bypass Validation query, test and help file #12995
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
java/ql/src/change-notes/2023-05-02-post-unicode-normalization-query.md
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-176/RegexAndStrManipulation.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-176/UnicodeBypassValidation.qhelp
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-176/UnicodeBypassValidation.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-176/UnicodeBypassValidation.ql
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-176/UnicodeBypassValidationQuery.qll
Outdated
Show resolved
Hide resolved
|
QHelp previews: java/ql/src/experimental/Security/CWE/CWE-176/UnicodeBypassValidation.qhelpBypass Logical Validation Using Unicode CharactersSecurity checks bypass due to a Unicode transformation If ever a unicode tranformation is performed after some security checks or logical validation, the latter could be bypassed due to a potential Unicode characters collision. The validation of concern are any character escaping, any regex validation or any string verification. RecommendationPerform a Unicode normalization before the logical validation. ExampleThe following example showcases the bypass of all checks performed by For instance: the character U+FE64 ( import java.text.Normalizer;
public class BadExampleBypassEscape extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String inputEncoded = encodeForHtml(request.getParameter("input"));
String output = Normalizer.normalize(inputEncoded, Normalizer.Form.NFKC);
response.getWriter().write(output);
}
static String encodeForHtml(String text) {
return text.replace("<", "<");
}
}References
|
smowton
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tests: I recommend adding at least one example exercising the Pattern.compile route, and at least one good (safe) example that the query should not flag, despite containing a unicode normalization call.
java/ql/src/experimental/Security/CWE/CWE-176/RegexAndStrManipulation.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-176/UnicodeBypassValidationQuery.qll
Outdated
Show resolved
Hide resolved
java/ql/src/experimental/Security/CWE/CWE-176/UnicodeBypassValidationQuery.qll
Outdated
Show resolved
Hide resolved
|
Looks sensible to me. Next step is to supply a CVE to the security lab and for them to pursue their review from a security point of view (cf mine from a QL engineering point of view) |
|
Please rebase on latest main so we can rerun CI now this is pending merge. |
…idation.ql Co-authored-by: Chris Smowton <smowton@github.com>
…idation.ql Co-authored-by: Chris Smowton <smowton@github.com>
…idationQuery.qll Co-authored-by: Chris Smowton <smowton@github.com>
…ulation.qll Co-authored-by: Chris Smowton <smowton@github.com>
…idationQuery.qll Co-authored-by: Chris Smowton <smowton@github.com>

This pull request adds a Unicode Bypass Validation (UBV) query, tests, and the help file.
The UBV query checks for a Post-Unicode Normalization in a Java codebase that leads to some security issues such as the bypasses of a String validation, regex verification, and escape functions.