codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

C#: Add query for insecure certificate validation

Open intrigus-lgtm opened this issue 1 year ago • 12 comments

intrigus-lgtm avatar Jun 25 '24 01:06 intrigus-lgtm

Hello intrigus-lgtm 👋 You have submitted this pull request as a bug bounty report in the github/securitylab repository and therefore this pull request has been put into draft state to give time for the GitHub Security Lab to assess the PR. When GitHub Security Lab has finished assessing your pull request, it will be marked automatically as Ready for review. Until then, please don't change the draft state.

In the meantime, feel free to make changes to the pull request. If you'd like to maximize payout for your this and future submissions, here are a few general guidelines, that we might take into consideration when reviewing a submission.

  • the submission models widely-used frameworks/libraries
  • the vulnerability modeled in the submission is impactful
  • the submission finds new true positive vulnerabilities
  • the submission finds very few false positives
  • code in the submission is easy to read and will be easy to maintain
  • documentation is written clearly, highlighting the impact of the issue it finds and is written without grammatical or other errors. The code samples clearly show the vulnerability
  • the submission includes tests, change note etc.

Please note that these are guidelines, not rules. Since we have a lot of different types of submissions, the guidelines might vary for each submission.

Happy hacking!

ghsecuritylab avatar Jun 25 '24 08:06 ghsecuritylab

I would like to reduce FPs by doing something similar to Java: https://github.com/github/codeql/blob/f9ae44ca5c7bedf0c2cfa98f60f917383ef3a93c/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll#L80-L104

But as far as I know, there is no equivalent library for C#.

intrigus-lgtm avatar Jun 26 '24 01:06 intrigus-lgtm

@intrigus-lgtm Greetings, it seems that this query has many FPs due to two reasons.

  1. SSL is often disabled in test and examples, so please add a filter to the query that removes any paths that contain "sample", "example", "demo", "test".
  2. Many examples are guarded by an if statement that checks a setting on whether to enable SSL. Ex:
if (!settings.ConnectivitySettings.TlsVerifyCert)
					handler.ServerCertificateCustomValidationCallback = delegate { return true; };

I will ping the codeql C# team and hopefully they can point you in the right direction. Thanks you.

Kwstubbs avatar Jul 25 '24 00:07 Kwstubbs

@github/codeql-csharp Hi team, this query is ready for review. If you could help intrigus in removing some FPs that would be great.

Kwstubbs avatar Jul 25 '24 00:07 Kwstubbs

@github/codeql-csharp Hi team, we hoping to finish up the last remaining CodeQL bounties so it would be great if we could get some feedback on this PR. Thanks

Kwstubbs avatar Sep 24 '24 20:09 Kwstubbs

Thank you for the contribution @intrigus-lgtm and all the reviewing of PRs that you are doing :-)

The PR has not yet been set to "Ready for review". Are you expecting a review of the code as is or just some recommendations? A couple of clarifying questions:

  1. The exceptions mentioned "sample", "example", "demo", "test" (maybe more) are they referring to code that are in file paths that contain these key words?
  2. Wrt the false positives. It appears that some guarding logic is needed. In C# there is a Guards module (Guards.qll) with a GuardedExpr class - maybe that will help?

Have you attempted to write this is a data flow query instead of a path problem? (where sources are callables, lambdas etc that returns true and sinks are writes to CertificateValidationProperties)

michaelnebel avatar Sep 26 '24 13:09 michaelnebel

Hi @michaelnebel,

The PR has not yet been set to "Ready for review". Are you expecting a review of the code as is or just some recommendations?

We ask bounty submitters (you can see the bounty process here) to keep their PRs in draft so that the CodeQL team doesn't get ahead of our team, whose job is to view the results and assign a score based on the criticality of the issue the query finds. This is one of the last few bounty submissions since we closed the bug bounty program, so future PRs should be business as usual.

The exceptions mentioned "sample", "example", "demo", "test" (maybe more) are they referring to code that are in file paths that contain these key words?

Yup, that what I was hoping to eliminate. Certain settings (like disabling ssl) are very common in test files or example projects, but we don't want to alert on those.

Kwstubbs avatar Sep 26 '24 16:09 Kwstubbs

Hi @intrigus-lgtm I tried to push some changes to this PR, but I don't have write access to the repo. Instead I opened a PR: https://github.com/github/codeql/pull/17603/. You are more than welcome to cherry pick the commits and apply them to this PR. The commits does the following:

  • Turns the query into a data flow query (which allows us to "track" sources (callables that always returns true) to the possible sinks (the properties in question))
  • Adds a sanitizer to the query, which allows you to filter out results that are guarded by a condition.
  • Adds some more test examples and base them on .NET Core stubs instead of DLLs.

I have added some comments to https://github.com/github/codeql/pull/17603/ which needs to be addressed after the commits are cherry picked onto this PR.

Once again, thank you very much for looking into this and I apologise for the slow feedback loop and let me know if you any questions whatsoever.

michaelnebel avatar Sep 27 '24 13:09 michaelnebel

Hi @intrigus-lgtm I tried to push some changes to this PR, but I don't have write access to the repo.

Hmm, that's weird; I have "Allow edits and access to secrets by maintainers" enabled.

Instead I opened a PR: #17603. You are more than welcome to cherry pick the commits and apply them to this PR. The commits does the following:

* Turns the query into a data flow query (which allows us to "track" sources (callables that always returns true) to the possible sinks (the properties in question))

* Adds a sanitizer to the query, which allows you to filter out results that are guarded by a condition.

* Adds some more test examples and base them on .NET Core stubs instead of DLLs.

I have added some comments to #17603 which needs to be addressed after the commits are cherry picked onto this PR.

Once again, thank you very much for looking into this and I apologise for the slow feedback loop and let me know if you any questions whatsoever.

Thanks for adding sanitizers and using stubs. I'm not too familiar with how .NET works so I copied the use of DLLs from other tests^^

intrigus-lgtm avatar Sep 27 '24 17:09 intrigus-lgtm

@intrigus-lgtm : Great! Do you have enough to continue from here or do you have any questions/concerns?

michaelnebel avatar Sep 30 '24 09:09 michaelnebel

@intrigus-lgtm : Great! Do you have enough to continue from here or do you have any questions/concerns?

I think I can continue from here, but I'm pretty busy, so expect a slow(er) response.

intrigus-lgtm avatar Oct 01 '24 13:10 intrigus-lgtm

Hi @intrigus-lgtm. Please could you move this PR into ready-for-review? We're wrapping up our bounty program, so we'd like to move this one forward so that we can complete the process as quickly as possible. Thanks!

kevinbackhouse avatar Oct 10 '24 17:10 kevinbackhouse