Java: CodeQL does not detect SSL certificate validation vulnerabilities in Apache HttpComponents

[ebickle]

Description of the issue

Java code vulnerabilities that trust self-signed certificates for outbound HTTP requests are not detected by CodeQL. In other words, CWE-295 is not detected for self-signed certificates when the Apache HttpComponents HttpClient is used.

Apache HttpComponents is listed as a supported framework in the CodeQL documentation.

Code samples or links to source code
Refer to https://github.com/ebickle/codeql-security-selfsigned for a narrowly scoped example of the issue using HTTPClient 4.5 and TrustSelfSignedStrategy.

Some sample code is also included here:

        KeyStore javaKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());

        SSLContext sslContext = SSLContexts.custom()
            .loadTrustMaterial(null, new TrustSelfSignedStrategy())
            .build();

        HttpClientBuilder httpClientBuilder = HttpClientBuilder.create()
            .setSSLContext(sslContext);

        try (CloseableHttpClient httpClient = httpClientBuilder.build()) {
            HttpGet request = new HttpGet("https://github.com/");
            try (CloseableHttpResponse response = httpClient.execute(request)) {
                System.out.println(response.getStatusLine().getReasonPhrase());
            }
        }

Based on a review of the java-queries and java-all qlpacks, it appears as though CodeQL isn't checking for any vulnerabilities where SSL certificate verification is disabled, except for the built-in Java SE platform classes. Apache HttpComponents is so broadly used that CodeQL should probably add additional checks targeting these libraries (and the various incompatible versions of it - e.g. v3.x, v4.x, v5.x).

There are a few different insecure configurations possible - the sample code above just covers self-signed certificates, but not completely disabling certificate validation or other common scenarios. The TrustSelfSignedStrategy was caught by our third-party scanning tool that we're deprecating, but not by CodeQL.

[intrigus-lgtm]

I'd be interested in trying to fix this as I wrote the CWE-295 query :)
However I will probably not have much time before early October.

Do you know how prevalent this issue is in applications that use Apache HttpComponents?

[ebickle]

@intrigus-lgtm Thanks! I haven't been able to do much deep analysis on my own yet, but here's what I've found.

There are three major versions of Apache HttpClient. In addition, v4 has has had multiple TLS/SSL API changes over the years - some deprecated methods and other new ones.

• Apache HttpClient v5
  • Maven dependency: org.apache.httpcomponents.client5;httpclient5
  • Java packages: orc.apache.hc.client5.*
  • 8th most popular HTTP client in Maven ecosystem - 986 public usages
• Apache HttpClient v4
  • Maven dependency: org.apache.httpcomponents:httpclient
  • Java packages: org.apache.http.*
  • Most popular HTTP client in Maven ecosystem - 14058 public usages
• Apache Commons HttpClient (v3)
  • Maven dependency: commons-httpclient:commons-httpclient
  • Java packages: org.apache.commons.httpclient.*
  • 5th most popular HTTP client in Maven ecosystem - 3116 public usages
  • Deprecated since 2007, but a lot of legacy applications still use this.

I'm not an expert in this space, but it looks as though there have been many different mechanisms for disabling TLS verification over the years. Here are some I found, but by no means a complete list:

HttpClient v4

• org.apache.http.conn.ssl.TrustSelfSignedStrategy
  • A trust strategy that accepts self-signed certificates as trusted.
  • https://javadoc.io/doc/org.apache.httpcomponents/httpclient/4.5.10/org/apache/http/conn/ssl/TrustSelfSignedStrategy.html
  • https://stackoverflow.com/a/19518383
  • 3600 files on github.com (https://github.com/search?q=path%3A*.java+TrustSelfSignedStrategy+&type=code)
• org.apache.http.conn.ssl.TrustAllStrategy
  • A trust strategy that accepts all certificates as trusted.
  • https://javadoc.io/doc/org.apache.httpcomponents/httpclient/4.5.10/org/apache/http/conn/ssl/TrustAllStrategy.html
  • https://stackoverflow.com/questions/61056194/understanding-the-ssl-trust-strategy
  • 720 files on github.com (https://github.com/search?q=path%3A*.java+TrustAllStrategy&type=code)
• org.apache.http.conn.ssl.NoopHostnameVerifier
  • The NO_OP HostnameVerifier essentially turns hostname verification off.
  • https://javadoc.io/doc/org.apache.httpcomponents/httpclient/4.5.10/org/apache/http/conn/ssl/NoopHostnameVerifier.html
  • https://stackoverflow.com/a/24370091
  • 6000 files on github.com (https://github.com/search?q=path%3A*.java+NoopHostnameVerifier&type=code)
• org.apache.http.conn.ssl.AllowAllHostnameVerifier
  • The ALLOW_ALL HostnameVerifier essentially turns hostname verification off.
  • https://javadoc.io/doc/org.apache.httpcomponents/httpclient/4.5.10/org/apache/http/conn/ssl/AllowAllHostnameVerifier.html
  • https://stackoverflow.com/a/24370091
  • 1600 files on github.com (https://github.com/search?q=path%3A*.java+AllowAllHostnameVerifier&type=code)

The classes listed above can be used via the class constructor (new TrustSelfSignedStrategy()) or an instance field (TrustSelfSignedStrategy.INSTANCE).

• Implementing the org.apache.http.conn.ssl.PrivateKeyStrategy, org.apache.http.conn.ssl.TrustStrategy, or org.apache.http.conn.ssl.X509HostnameVerifier interfaces insecurely. In the public examples I checked, most implementations of these interfaces appear to introduce a vulnerability via a no-op.

  • ~300 hits for implementing TrustStrategy: https://github.com/search?q=path%3A*.java+%22implements+TrustStrategy%22+AND+%22import+org.apache.http.conn.ssl%22&type=code
  • ~200 hits for implementing X509HostnameVerifier: https://github.com/search?q=path%3A*.java+%22implements+X509HostnameVerifier%22+AND+%22import+org.apache.http.conn.ssl%22&type=code
  • Not many hits for PrivateKeyStrategy (< 30). About half seemed to be trusting self-signed.

• Building a custom SSLContext with a custom X509TrustManager and using it to build an Apache HttpClient instance.

  • It's possible the existing CodeQL query will find this scenario, but I haven't checked. It's possible it will need to be adjusted to catch scenarios where an insecure X509TrustManager is passed into the methods that build an Apache HttpClient.
  • Example: https://stackoverflow.com/a/2703233
  • 8600 hits for X509TrustManager being used alongside Apache HttpClient: https://github.com/search?q=path%3A*.java+X509TrustManager+AND+%22import+org.apache.http%22&type=code - many of these looked like they were disabling certificate verification

HttpClient v5
I haven't looked at v5 in detail yet, but many of the same interfaces and classes from v4 still exist but in different packages. E.g. org.apache.hc.client5.http.ssl.TrustAllStrategy

Commons-HttpClient v3

• org.apache.commons.httpclient.contrib.ssl.EasySSLProtocolSocketFactory can be used to create SSL sockets that accept self-signed certificates
  • http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java?view=markup
  • 750 hits for EasySSLProtocolSocketFactory, which appears to always be insecure: https://github.com/search?q=EasySSLProtocolSocketFactory+&type=code

It's amazing just how many methods there are for disabling TLS security protections in these clients. I probably didn't even scratch the surface of what's possible 😎

[egregius313]

Hi @ebickle,

This sounds like something worth addressing, so I've added this issue to our backlog. We won't be able to address it immediately though, due to more urgent pressures on engineer time.

If you would like to see this added sooner, we welcome community contributions through experimental queries. (In this case I suspect you can use the existing InsecureTrustManagerQuery library and extend the InsecureTrustManagerSource and InsecureTrustManagerSink classes with the types you need need covered.) See the java/insecure-trustmanager query and InsecureTrustManager.qll.

You can find information on query writing here. And you can find the documentation for submitting an experimental query here.