Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C#: Insecure Certificate Validation. #17603

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

C#: Insecure Certificate Validation. #17603

wants to merge 3 commits into from

Conversation

michaelnebel
Copy link
Contributor

No description provided.

@github-actions GitHub Actions
Copy link
Contributor

QHelp previews:

csharp/ql/src/experimental/CWE-295/InsecureCertificateValidation.qhelp

Unsafe CertificateValidationCallback use.

Using a RemoteCertificateValidationCallback that always returns true is insecure because it allows any certificate to be accepted as valid. This can lead to a variety of security issues, including man-in-the-middle attacks.

Recommendation

Ensure that RemoteCertificateValidationCallback implementations properly verify the certificate before returning true. Avoid implementing callbacks that unconditionally accept all certificates.

Example

The following example demonstrates an insecure use of RemoteCertificateValidationCallback that always returns true:

ServicePointManager.ServerCertificateValidationCallback = 
    (sender, cert, chain, sslPolicyErrors) => true;

A secure approach would involve proper verification of the certificate before returning true:

ServicePointManager.ServerCertificateValidationCallback += 
        (sender, cert, chain, sslPolicyErrors) => {
            if (cert.Issuer == "TrustedIssuer" /* && other conditions */)
                return true;
            return false;
        };

References

  • CA5359: Do not disable certificate validation CA5359
  • Common Weakness Enumeration: CWE-295.
  • Common Weakness Enumeration: CWE-297.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 27, 2024
View reviewed changes
csharp/ql/src/experimental/CWE-295/InsecureCertificateValidationQuery.qll Fixed Show fixed Hide fixed
csharp/ql/src/experimental/CWE-295/InsecureCertificateValidationQuery.qll
any(CertificateValidationProperty p).getAnAssignedValue(),
any(SslStreamCreation yy).getServerCertificateValidationCallback()
] and
not e.getFile().getAbsolutePath().matches("example")

Check notice

Code scanning / CodeQL

Use of regexp to match a set of constant string Note

Use string comparison instead of regexp to compare against a constant set of string.
@michaelnebel michaelnebel mentioned this pull request Sep 27, 2024
Draft
@michaelnebel michaelnebel force-pushed the c-sharp-certificate-validation branch from 11c5de4 to 0a82c34 Compare September 27, 2024 13:13
michaelnebel
michaelnebel commented Sep 27, 2024
View reviewed changes
csharp/ql/src/experimental/CWE-295/InsecureCertificateValidationQuery.qll
any(CertificateValidationProperty p).getAnAssignedValue(),
any(SslStreamCreation yy).getServerCertificateValidationCallback()
] and
not e.getFile().getAbsolutePath().matches("example")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@intrigus-lgtm : Here you can insert a "filter" that excludes sinks located in files matching specific names.

michaelnebel
michaelnebel commented Sep 27, 2024
View reviewed changes
csharp/ql/src/experimental/CWE-295/InsecureCertificateValidationQuery.qll
private predicate ignoreCertificateValidation(Guard guard, AbstractValue v) {
guard =
any(PropertyAccess access |
access.getProperty().hasFullyQualifiedName("", "Settings", "IgnoreCertificateValidation") and
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@intrigus-lgtm : This is somewhat similar to the Java implementation of flags that you mentioned. There doesn't exist similar library functionality for C# and thus we need to implement it here.
This is hardcoded specifically to the test flag Settings.IngoreCertificateValidation just to illustrate, how this can be achieved. This code needs to be modified to the flags/conditions that fits the purposes of certificate validation.

michaelnebel
michaelnebel commented Sep 27, 2024
View reviewed changes
csharp/ql/src/experimental/CWE-295/InsecureCertificateValidationQuery.qll
/**
* Holds if `c` always returns `true`.
*/
private predicate alwaysReturnsTrue(Callable c) {
Copy link
Contributor Author

@michaelnebel michaelnebel Sep 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@intrigus-lgtm : Maybe consider to improve this: Inspiration can be found in isExpressionAlwaysTrue in JsonWebTokenHandlerLib.qll

@michaelnebel michaelnebel force-pushed the c-sharp-certificate-validation branch from 0a82c34 to 18db405 Compare October 1, 2024 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C# documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@michaelnebel @intrigus-lgtm