Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5d4cd70

Browse files
atorralbaatorralba
committed
Adjusted sources and sanitizer of UnsafeCertTrust taint tracking config
1 parent e43fff2 commit 5d4cd70

6 files changed

Lines changed: 463 additions & 25 deletions

File tree

java/ql/lib/semmle/code/java/security/Encryption.qll

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,30 @@ class SetDefaultHostnameVerifierMethod extends Method {
122122
}
123123
}
124124

125+
/** The `beginHandshake` method of the class `javax.net.ssl.SSLEngine`. */
126+
class BeginHandshakeMethod extends Method {
127+
BeginHandshakeMethod() {
128+
this.hasName("beginHandshake") and
129+
this.getDeclaringType().getASupertype*() instanceof SSLEngine
130+
}
131+
}
132+
133+
/** The `wrap` method of the class `javax.net.ssl.SSLEngine`. */
134+
class SslWrapMethod extends Method {
135+
SslWrapMethod() {
136+
this.hasName("wrap") and
137+
this.getDeclaringType().getASupertype*() instanceof SSLEngine
138+
}
139+
}
140+
141+
/** The `unwrap` method of the class `javax.net.ssl.SSLEngine`. */
142+
class SslUnwrapMethod extends Method {
143+
SslUnwrapMethod() {
144+
this.hasName("unwrap") and
145+
this.getDeclaringType().getASupertype*() instanceof SSLEngine
146+
}
147+
}
148+
125149
/** The `getSession` method of the class `javax.net.ssl.SSLSession`.select */
126150
class GetSslSessionMethod extends Method {
127151
GetSslSessionMethod() {

java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll

Lines changed: 28 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ private import semmle.code.java.dataflow.DataFlow2
88

99
/**
1010
* The creation of an object that prepares an SSL connection.
11+
*
1112
* This is a source for `SslEndpointIdentificationFlowConfig`.
1213
*/
1314
class SslConnectionInit extends DataFlow::Node {
@@ -19,12 +20,15 @@ class SslConnectionInit extends DataFlow::Node {
1920

2021
/**
2122
* A call to a method that establishes an SSL connection.
23+
*
2224
* This is a sink for `SslEndpointIdentificationFlowConfig`.
2325
*/
2426
class SslConnectionCreation extends DataFlow::Node {
2527
SslConnectionCreation() {
2628
exists(MethodAccess ma, Method m |
27-
m instanceof GetSslSessionMethod or
29+
m instanceof BeginHandshakeMethod or
30+
m instanceof SslWrapMethod or
31+
m instanceof SslUnwrapMethod or
2832
m instanceof SocketConnectMethod
2933
|
3034
ma.getMethod() = m and
@@ -44,10 +48,16 @@ class SslConnectionCreation extends DataFlow::Node {
4448
}
4549

4650
/**
47-
* An SSL object that was assigned a safe `SSLParameters` object and can be considered safe.
51+
* An SSL object that correctly verifies hostnames, or doesn't need to (because e.g. it's a server).
52+
*
4853
* This is a sanitizer for `SslEndpointIdentificationFlowConfig`.
4954
*/
50-
class SslConnectionWithSafeSslParameters extends DataFlow::Node {
55+
abstract class SslUnsafeCertTrustSanitizer extends DataFlow::Node { }
56+
57+
/**
58+
* An SSL object that was assigned a safe `SSLParameters` object and can be considered safe.
59+
*/
60+
private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {
5161
SslConnectionWithSafeSslParameters() {
5262
exists(SafeSslParametersFlowConfig config, DataFlow::Node safe |
5363
config.hasFlowTo(safe) and
@@ -56,6 +66,21 @@ class SslConnectionWithSafeSslParameters extends DataFlow::Node {
5666
}
5767
}
5868

69+
/**
70+
* An `SSLEngine` set in server mode.
71+
*/
72+
private class SslEngineServerMode extends SslUnsafeCertTrustSanitizer {
73+
SslEngineServerMode() {
74+
exists(MethodAccess ma, Method m |
75+
m.hasName("setUseClientMode") and
76+
m.getDeclaringType().getASupertype*() instanceof SSLEngine and
77+
ma.getMethod() = m and
78+
ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false and
79+
this = DataFlow::exprNode(ma.getQualifier())
80+
)
81+
}
82+
}
83+
5984
/**
6085
* Holds if the return value of `createSocket` is cast to `SSLSocket`
6186
* or the qualifier of `createSocket` is an instance of `SSLSocketFactory`.

java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
2323
override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
2424

2525
override predicate isSanitizer(DataFlow::Node sanitizer) {
26-
sanitizer instanceof SslConnectionWithSafeSslParameters
26+
sanitizer instanceof SslUnsafeCertTrustSanitizer
2727
}
2828
}
2929

0 commit comments

Comments
 (0)