unencrypted-socket-java

Author: ESS-ENN

rules/java/security/unencrypted-socket-java.yml

@@ -0,0 +1,23 @@
+id: unencrypted-socket-java
+language: java
+severity: info
+message: >-
+  "Detected use of a Java socket that is not encrypted. As a result, the
+      traffic could be read by an attacker intercepting the network traffic. Use
+      an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory'
+      instead."
+note: >-
+  [CWE-319] Cleartext Transmission of Sensitive Information
+  [REFERENCES]
+      - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
+ast-grep-essentials: true
+
+rule:
+  any:
+    - pattern: new ServerSocket($$$)
+    - pattern: new Socket($$$)
+  not:
+    has:
+      stopBy: end
+      kind: ERROR
+

tests/__snapshots__/unencrypted-socket-java-snapshot.yml

@@ -0,0 +1,58 @@
+id: unencrypted-socket-java
+snapshots:
+  ? |
+    ServerSocket ssoc = new ServerSocket(1234);
+  : labels:
+    - source: new ServerSocket(1234)
+      style: primary
+      start: 20
+      end: 42
+  ? |
+    ServerSocket ssoc1 = new ServerSocket();
+  : labels:
+    - source: new ServerSocket()
+      style: primary
+      start: 21
+      end: 39
+  ? |
+    ServerSocket ssoc2 = new ServerSocket(1234, 10);
+  : labels:
+    - source: new ServerSocket(1234, 10)
+      style: primary
+      start: 21
+      end: 47
+  ? |
+    ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));
+  : labels:
+    - source: new ServerSocket(1234, 10, InetAddress.getByAddress(address))
+      style: primary
+      start: 21
+      end: 82
+  ? |
+    Socket soc = new Socket("www.google.com", 80);
+  : labels:
+    - source: new Socket("www.google.com", 80)
+      style: primary
+      start: 13
+      end: 45
+  ? |
+    Socket soc1 = new Socket("www.google.com", 80, true);
+  : labels:
+    - source: new Socket("www.google.com", 80, true)
+      style: primary
+      start: 14
+      end: 52
+  ? |
+    Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
+  : labels:
+    - source: new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337)
+      style: primary
+      start: 14
+      end: 88
+  ? |
+    Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
+  : labels:
+    - source: new Socket(InetAddress.getByAddress(remoteAddress), 80)
+      style: primary
+      start: 14
+      end: 69

tests/java/unencrypted-socket-java-test.yml

@@ -0,0 +1,23 @@
+id: unencrypted-socket-java
+valid:
+  - |
+    Socket soc = SSLSocketFactory.getDefault().createSocket("www.google.com", 443);
+  - |
+    ServerSocket ssoc = SSLServerSocketFactory.getDefault().createServerSocket(1234);
+invalid:
+  - |
+    Socket soc = new Socket("www.google.com", 80);
+  - |
+    Socket soc1 = new Socket("www.google.com", 80, true);
+  - |
+    Socket soc2 = new Socket("www.google.com", 80, InetAddress.getByAddress(address), 13337);
+  - |
+    Socket soc3 = new Socket(InetAddress.getByAddress(remoteAddress), 80);
+  - |
+    ServerSocket ssoc = new ServerSocket(1234);
+  - |
+    ServerSocket ssoc1 = new ServerSocket();
+  - |
+    ServerSocket ssoc2 = new ServerSocket(1234, 10);
+  - |
+    ServerSocket ssoc3 = new ServerSocket(1234, 10, InetAddress.getByAddress(address));