Checker Authentication

belongs to group Basic
Identify authentication security risks

Frameworks supported by this checker

  • java up to 11
  • android up to API level 28
  • dotnet

Warnings generated by this checker

  • AuthenticationSetToAnonymousWarning: the LDAP authentication is set to anonymous, thus compromising security [ CWE287 ]
  • HostNameInConditionWarning: a host name is used in a condition [ CWE287 ]
  • UnauthenticatedWebAPIWarning: a Web API method is not annotated for authentication [ CWE287 ]

Options accepted by this checker

  • none

Annotations understood by this checker

  • @com.juliasoft.julia.checkers.authentication.YieldsHostName


Description

This checker identifies security issues related to authentication procedures, such as using no password for LDAP authentication or using the host name in conditions.

Action: check if the warning actually corresponds to a real security issue related to authentication and, if that is the case, use a more secure authentication procedure.

This checker identifies security issues related to authentication procedures, such as using no password for LDAP authentication or using the host name in conditions.

Action: check if the warning actually corresponds to a real security issue related to authentication and, if that is the case, use a more secure authentication procedure.

Examples

Consider the following code:

import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.UnknownHostException;

public class Authentication {

  public static void main(String[] args) throws UnknownHostException {
    boolean found = false;
    InetAddress[] addrs = Inet6Address.getAllByName("www.juliasoft.com");
    for (InetAddress addr: addrs) {
      if (addr.getCanonicalHostName().equals("231.13.35.1"))
        found = true;
      else if ("112.34.5.103".equals(addr.getCanonicalHostName()))
        found = true;

      found |= addr.getCanonicalHostName().startsWith("131.");
    }

    if (found)
      System.out.println("OK");
  }
}

This checker issues the following warnings:

Authentication.java:11: [Authentication: HostNameInConditionWarning] Call to getCanonicalHostName() is used in a condition: this might lead to a security breach
Authentication.java:13: [Authentication: HostNameInConditionWarning] Call to getCanonicalHostName() is used in a condition: this might lead to a security breach
Authentication.java:16: [Authentication: HostNameInConditionWarning] Call to getCanonicalHostName() is used in a condition: this might lead to a security breach

since the host name is used in conditions, three times. Moreover, in the following code (taken from Sun Microsystem's example):

import javax.naming.*;
import javax.naming.directory.*;

import java.util.Hashtable;

public class None {

  @SuppressWarnings({ "rawtypes", "unchecked" })
  public static void main(String[] args) {
    // Set up environment for creating initial context
    Hashtable env = new Hashtable(11);
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");

    // Use anonymous authentication
    env.put(Context.SECURITY_AUTHENTICATION, "none");

    try {
      // Create initial context
      DirContext ctx = new InitialDirContext(env);

      System.out.println(ctx.lookup("ou=NewHires"));

      // do something useful with ctx

      // Close the context when we're done
      ctx.close();
    } catch (NamingException e) {
      e.printStackTrace();
    }
  }
}

this checker issues the following warnings:

None.java:16: [Authentication: AuthenticationSetToAnonymousWarning] LDAP authentication seems set to anonymous, thus compromising security

since the LDAP password is set to none.

Finally, consider the following code:

public class WebAPIAuthentication {

	@RolesAllowed(value = { "admin" })
	class AuthenticatedWebAPI {
		
	    @GET
	    public String Get() {...}
	    
	    @PUT
	    public String Put() {...}
	    
	    @POST
	    public String Post() {...}
	    
	    @HEAD
	    public String Head() {...}
	    
	    @DELETE
	    public String Delete() {...}

	    public String foo() {...}

	    public String foo2() {...}

	    public String foo3() {...}
		
	}
	
	
	@PermitAll
    @GET
    public String authenticatedGet() {...}

	@PermitAll
    @PUT
    public String authenticatedPut() {...}

	@DenyAll
    @DELETE
    public String authenticatedDelete() {...}

	@RolesAllowed(value = { "admin" })
    @HEAD
    public String authenticatedHead() {...}

	@PermitAll
    @POST
    public String authenticatedPost() {...}
    
    @GET
    public String unauthenticatedGet() {...}
    
    public String foo() {...}
    
    @PermitAll
    public String foo2() {...}
    
    public String foo3() {...}
}

This code contains several methods, 11 annotated with Web API annotations (e.g., @GET) and 10 of them with authentication annotations (e.g., @RolesAllowed). Therefore, more than 80% (that is, more than the percentage indicated in parameter authenticatedWebAPIPercentage) of Web API methods are annotated with authentication information. So the following warning is produced by this checker:

WebAPIAuthentication.java:92: [Authentication: UnauthenticatedWebAPIWarning] Method "unauthenticatedGet" is annotated as a Web API but it is not annotated for authentication (e.g., javax.annotation.security.RolesAllowed)

Note that no warning was produced on class AuthenticatedWebAPI even if no method was annotated with authentication information since the class itself had such annotation.

Consider the following code:

using com.juliasoft.julia.checkers;
using System;
using System.DirectoryServices;
using System.Net;

namespace DocumentationExamples
{

    public class Authentication
    {
        [SuppressJuliaWarnings(Value = new string[] { "production", "basicnullness", "shortcircuit", "nullness" })]
        public static void Main(string[] args)
        {
            bool found = false;
            IPAddress[] addrs = Dns.GetHostAddresses("www.juliasoft.com");
            foreach (IPAddress addr in addrs)
            {
                // these call to ToString() get compiled as Object.ToString(). Hence, these warnings appear
                // only if System.Net.dll is submittet as a library. Otherwise, Julia cannot link these call
                // to the actual one that is annotated inside the wizards
                if (addr.ToString().Equals("231.13.35.1"))
                    found = true;
                else if ("112.34.5.103".Equals(addr.ToString()))
                    found = true;
                found |= addr.ToString().StartsWith("131.");
            }
            if (found)
                Console.WriteLine("OK");

            DirectoryEntry dir = new DirectoryEntry("ldap://localhost:389/o=JNDITutorial")
            {
                AuthenticationType = AuthenticationTypes.None
            };
            DirectorySearcher searcher = new DirectorySearcher(dir)
            {
                PageSize = int.MaxValue,
                Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=AnAccountName))"
            };
            searcher.PropertiesToLoad.Add("sn");
            searcher.FindOne();
        }
    }
}
Information: The result of the analysis may be different depending on whether the System library is included or not in the analysis.

This checker issues the following warnings:

DocumentationExamples.cs:21: [Authentication: HostNameInConditionWarning] Call to method "ToString" is used in a condition: this might lead to a security breach
DocumentationExamples.cs:23: [Authentication: HostNameInConditionWarning] Call to method "ToString" is used in a condition: this might lead to a security breach
DocumentationExamples.cs:25: [Authentication: HostNameInConditionWarning] Call to method "ToString" is used in a condition: this might lead to a security breach DocumentationExamples.cs:30: [Authentication: AuthenticationSetToAnonymousWarning] LDAP authentication seems set to anonymous, thus compromising security

since the host name is used in conditions, three times.

this checker issues the AuthenticationSetToAnonymousWarning warning at line 30:

since the LDAP password is set to none.