com.h3xstream.findsecbugs.crypto.WeakTrustManagerDetector Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of plugin Show documentation
Show all versions of plugin Show documentation
Core module of the project. It include all the FindBugs detectors.
The resulting jar is the published plugin.
The newest version!
/**
* Find Security Bugs
* Copyright (c) 2013, Philippe Arteau, All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 3.0 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library.
*/
package com.h3xstream.findsecbugs.crypto;
import com.h3xstream.findsecbugs.common.InterfaceUtils;
import edu.umd.cs.findbugs.BugInstance;
import edu.umd.cs.findbugs.BugReporter;
import edu.umd.cs.findbugs.Detector;
import edu.umd.cs.findbugs.Priorities;
import edu.umd.cs.findbugs.ba.ClassContext;
import org.apache.bcel.classfile.JavaClass;
import org.apache.bcel.classfile.Method;
import org.apache.bcel.generic.GETFIELD;
import org.apache.bcel.generic.Instruction;
import org.apache.bcel.generic.InvokeInstruction;
import org.apache.bcel.generic.MethodGen;
/**
* The first reflex for developer that encounter web services that have unsigned certificate
* is often to trust all certificates.
*
* To trust everything, the standard API for SSL communication requires the implementation of a child
* interface of "javax.net.ssl.TrustManager" (marker interface). Commonly, X509TrustManager is being used.
*
* Sample of code being used
*
* @see javax.net.ssl.TrustManager
* @see javax.net.ssl.X509TrustManager
*/
public class WeakTrustManagerDetector implements Detector {
private static final boolean DEBUG = false;
private static final String WEAK_TRUST_MANAGER_TYPE = "WEAK_TRUST_MANAGER";
private BugReporter bugReporter;
public WeakTrustManagerDetector(BugReporter bugReporter) {
this.bugReporter = bugReporter;
}
@Override
public void visitClassContext(ClassContext classContext) {
JavaClass javaClass = classContext.getJavaClass();
//The class extends X509TrustManager
boolean isTrustManager = InterfaceUtils.classImplements(javaClass,"javax.net.ssl.X509TrustManager");
//Not the target of this detector
if (!isTrustManager) return;
Method[] methodList = javaClass.getMethods();
for (Method m : methodList) {
MethodGen methodGen = classContext.getMethodGen(m);
if (DEBUG) System.out.println(">>> Method: " + m.getName());
//The presence of checkClientTrusted is not enforce for the moment
if (!m.getName().equals("checkServerTrusted") &&
!m.getName().equals("getAcceptedIssuers")) {
continue;
}
//Currently the detection is pretty weak.
//It will catch Dummy implementation that have empty method implementation
boolean invokeInst = false;
boolean loadField = false;
for (Instruction inst : methodGen.getInstructionList().getInstructions()) {
if (DEBUG)
System.out.println(inst.toString(true));
if (inst instanceof InvokeInstruction) {
invokeInst = true;
}
if (inst instanceof GETFIELD) {
loadField = true;
}
}
if (!invokeInst && !loadField) {
bugReporter.reportBug(new BugInstance(this, WEAK_TRUST_MANAGER_TYPE, Priorities.NORMAL_PRIORITY) //
.addClassAndMethod(javaClass, m));
}
}
}
@Override
public void report() {
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy