Java: Only detect JxBrowser < 6.24

intrigus · intrigus · commit 1ebc9f4d9399 · 2021-01-12T22:39:08.000+01:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JXBrowserWithoutCertValidation.ql
@@ -12,10 +12,18 @@ import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
 
 /*
- * This query is version specific to JXBrowser 6.x.x. The version is indirectly detected.
+ * This query is version specific to JXBrowser < 6.24. The version is indirectly detected.
  * In version 6.x.x the `Browser` class is in a different package compared to version 7.x.x.
  */
 
+/**
+ * Holds if a safe JXBrowser 6.x.x version is used, such as version 6.24.
+ * This is detected by the the presence of the `addBoundsListener` in the `Browser` class.
+ */
+private predicate isSafeJXBrowserVersion() {
+  exists(Method m | m.getDeclaringType() instanceof JXBrowser | m.hasName("addBoundsListener"))
+}
+
 /** The `com.teamdev.jxbrowser.chromium.Browser` class. */
 private class JXBrowser extends RefType {
   JXBrowser() { this.hasQualifiedName("com.teamdev.jxbrowser.chromium", "Browser") }
@@ -69,5 +77,6 @@ private class JXBrowserTaintTracking extends TaintTracking::Configuration {
 from JXBrowserTaintTracking cfg, DataFlow::Node src
 where
   cfg.isSource(src) and
-  not cfg.hasFlow(src, _)
+  not cfg.hasFlow(src, _) and
+  not isSafeJXBrowserVersion()
 select src, "This JXBrowser instance allows man-in-the-middle attacks."
