Add CWE-295 query for C# (accepting any TLS certificate)#22019
Conversation
…ad-code returns
Compared with #1643 and merged its strengths into this PR (commit 4d3d1cf):
This PR keeps its broader coverage that #1643 lacked: |
|
@copilot Turn the test into an inline expectations test. The qlref file should be in this format: And the C# source file should have |
|
QHelp previews: csharp/ql/src/Security Features/CWE-295/AcceptAnyCertificate.qhelpAccepting any TLS certificate during validationA TLS/SSL certificate validation callback that always returns An attack might look like this:
RecommendationDo not use a certificate validation callback that unconditionally returns ExampleIn the first (bad) example, the callback always returns using System.Net.Http;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public class CertificateValidation
{
public void Bad()
{
var handler = new HttpClientHandler();
// BAD: the callback always returns true, so every certificate is trusted.
handler.ServerCertificateCustomValidationCallback =
(request, certificate, chain, errors) => true;
}
public void Good()
{
var handler = new HttpClientHandler();
// GOOD: the certificate is only trusted when there are no validation errors.
handler.ServerCertificateCustomValidationCallback =
(request, certificate, chain, errors) => errors == SslPolicyErrors.None;
}
}References
|
C# lacked a CWE-295 (Improper Certificate Validation) query that other languages already ship. This adds one detecting TLS/SSL certificate validation callbacks that trust every certificate, enabling machine-in-the-middle attacks.
Query
cs/accept-any-certificate(Security Features/CWE-295/AcceptAnyCertificate.ql), a path-problem dataflow query.true— a lambda/anonymous method, a method-group reference to a method that always returnstrue, orHttpClientHandler.DangerousAcceptAnyServerCertificateValidator.boolwith aSystem.Net.Security.SslPolicyErrorsparameter. CoversRemoteCertificateValidationCallback(ServicePointManager,HttpWebRequest,SslStream) andHttpClientHandler.ServerCertificateCustomValidationCallback.true, so callbacks that inspectSslPolicyErrorsare not flagged.Supporting files
.qhelpwith good/bad samples, and anewQuerychange note.query-tests/Security Features/CWE-295/covering inline lambdas, block bodies, method groups,SslStream, variable indirection, and the built-in dangerous validator, plus negative cases that perform real validation.The query resolves into the default
csharp-code-scanningsuite via its metadata.