Address issues with matching empty host and host in a concatenated string

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql

@@ -87,7 +87,7 @@ class HttpStringLiteral extends StringLiteral {
   HttpStringLiteral() {
     // Match URLs with the HTTP protocol and without private IP addresses to reduce false positives.
     exists(string s | this.getRepresentedString() = s |
-      s.regexpMatch("(?i)http://[\\[:a-zA-Z0-9].*") and
+      s.regexpMatch("(?i)http://[\\[a-zA-Z0-9].*") and
       not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex())
     )
   }
@@ -106,37 +106,33 @@ predicate concatHttpString(Expr protocol, Expr host) {
         .(CompileTimeConstantExpr)
         .getStringValue()
         .regexpMatch("(?i)http(://)?")
-  ) and // Not empty host string
-  (
-    host.(CompileTimeConstantExpr).getStringValue().length() > 0 or
-    host
-        .(VarAccess)
-        .getVariable()
-        .getAnAssignedValue()
-        .(CompileTimeConstantExpr)
-        .getStringValue()
-        .length() > 0
   ) and
-  not (
-    host.(CompileTimeConstantExpr).getStringValue().regexpMatch(getPrivateHostRegex()) or
-    host
-        .(VarAccess)
-        .getVariable()
-        .getAnAssignedValue()
-        .(CompileTimeConstantExpr)
-        .getStringValue()
-        .regexpMatch(getPrivateHostRegex())
+  not exists(string hostString |
+    hostString = host.(CompileTimeConstantExpr).getStringValue() or
+    hostString =
+      host.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
+  |
+    hostString.length() = 0 or // Empty host is loopback address
+    hostString.regexpMatch(getPrivateHostRegex())
   )
 }
 
+/** Gets the leftmost operand in a concatenated string */
+Expr getLeftmostConcatOperand(Expr expr) {
+  if expr instanceof AddExpr
+  then result = getLeftmostConcatOperand(expr.(AddExpr).getLeftOperand())
+  else result = expr
+}
+
 /**
  * String concatenated with `HttpStringLiteral`.
  */
 class HttpString extends Expr {
   HttpString() {
     this instanceof HttpStringLiteral
     or
-    concatHttpString(this.(AddExpr).getLeftOperand(), this.(AddExpr).getRightOperand())
+    concatHttpString(this.(AddExpr).getLeftOperand(),
+      getLeftmostConcatOperand(this.(AddExpr).getRightOperand()))
   }
 }
 

java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected

@@ -1,6 +1,6 @@
 edges
 | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post |
-| InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get |
+| InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get |
 | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post |
 | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post |
 | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post |
@@ -13,7 +13,7 @@ edges
 nodes
 | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | semmle.label | ... + ... : String |
 | InsecureBasicAuth.java:28:3:28:6 | post | semmle.label | post |
-| InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | semmle.label | "http://www.example.com:dashboardPort/payment/retrieve" : String |
+| InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | semmle.label | "http://www.example.com:8000/payment/retrieve" : String |
 | InsecureBasicAuth.java:38:3:38:5 | get | semmle.label | get |
 | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
 | InsecureBasicAuth.java:54:3:54:6 | post | semmle.label | post |
@@ -33,7 +33,7 @@ nodes
 | InsecureBasicAuth.java:149:3:149:6 | conn | semmle.label | conn |
 #select
 | InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:52 | ... + ... | HTTP url |
-| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" | HTTP url |
+| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:19:35:64 | "http://www.example.com:8000/payment/retrieve" | HTTP url |
 | InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
 | InsecureBasicAuth.java:71:3:71:6 | post | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url |
 | InsecureBasicAuth.java:86:3:86:6 | post | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:78:47:78:52 | "http" | HTTP url |

java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java

@@ -156,7 +156,7 @@ public void testHttpUrlConnection3(String username, String password) {
 		String host = "LOCALHOST";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
-		HttpURLConnection conn = (HttpURLConnection) new URL("http://"+host+"/rest/getuser.do"+"?uid=abcdx").openConnection();
+		HttpURLConnection conn = (HttpURLConnection) new URL("http://"+(((host+"/rest/getuser.do")+"?uid=abcdx"))).openConnection();
 		conn.setRequestMethod("POST");
 		conn.setDoOutput(true);
 		conn.setRequestProperty("Authorization", "Basic " + encoding);