Merge pull request #2685 from esbena/java/sharpen-maven-non-ssl

java: sharpen java/maven/non-https-url to allow localhost URLs

Author: aschackmull

java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql

@@ -25,8 +25,7 @@ private class DeclaredRepository extends PomElement {
   string getUrl() { result = getAChild("url").(PomElement).getValue() }
 
   predicate isInsecureRepositoryUsage() {
-    getUrl().matches("http://%") or
-    getUrl().matches("ftp://%")
+    getUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*")
   }
 }
 

java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.expected

@@ -1,4 +1,5 @@
 | insecure-pom.xml:19:9:24:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
 | insecure-pom.xml:25:9:30:30 | snapshotRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
-| insecure-pom.xml:33:9:38:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
-| insecure-pom.xml:41:9:46:28 | pluginRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
+| insecure-pom.xml:31:9:36:30 | snapshotRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://localhost.example |
+| insecure-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
+| insecure-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |

java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml

@@ -28,6 +28,12 @@
             <!-- BAD! Use HTTPS -->
             <url>http://insecure-repository.example</url>
         </snapshotRepository>
+        <snapshotRepository>
+            <id>insecure-snapshots</id>
+            <name>Insecure Repository Snapshots</name>
+            <!-- BAD! Use HTTPS -->
+            <url>http://localhost.example</url>
+        </snapshotRepository>
     </distributionManagement>
     <repositories>
         <repository>

java/ql/test/query-tests/security/CWE-829/semmle/tests/secure-pom.xml

@@ -28,6 +28,18 @@
             <!-- GOOD! Use HTTPS -->
             <url>https://insecure-repository.example</url>
         </snapshotRepository>
+        <snapshotRepository>
+            <id>insecure-snapshots</id>
+            <name>Secure Repository Snapshots</name>
+            <!-- GOOD! Use HTTP, but for localhost -->
+            <url>http://localhost/snaphots</url>
+        </snapshotRepository>
+        <snapshotRepository>
+            <id>insecure-snapshots</id>
+            <name>Secure Repository Snapshots</name>
+            <!-- GOOD! Use HTTP, but for localhost -->
+            <url>http://localhost:82</url>
+        </snapshotRepository>
     </distributionManagement>
     <repositories>
         <repository>
@@ -36,6 +48,11 @@
             <!-- GOOD! Use HTTPS -->
             <url>https://insecure-repository.example</url>
         </repository>
+        <repository>
+            <id>test</id>
+            <!-- GOOD! Use HTTP, but for localhost -->
+            <url>http://localhost:${deploy.webserver.port}/repo</url>
+        </repository>
     </repositories>
     <pluginRepositories>
         <pluginRepository>