Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 73653f7

Browse files
atorralbaatorralba
committed
Use InlineExpectationsTest
1 parent 8c6d58e commit 73653f7

5 files changed

Lines changed: 58 additions & 8 deletions

File tree

java/ql/test/query-tests/security/CWE-297/InsecureJavaMail.expected

Lines changed: 0 additions & 2 deletions
This file was deleted.

java/ql/test/query-tests/security/CWE-297/InsecureJavaMail.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.expected

Whitespace-only changes.

java/ql/test/query-tests/security/CWE-297/InsecureJavaMail.java renamed to java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.java

Lines changed: 35 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010

1111
import java.util.Properties;
1212

13-
class InsecureJavaMail {
13+
class InsecureJavaMailTest {
1414
public void testJavaMail() {
1515
final Properties properties = new Properties();
1616
properties.put("mail.transport.protocol", "protocol");
@@ -24,18 +24,48 @@ protected PasswordAuthentication getPasswordAuthentication() {
2424
};
2525
if (null != authenticator) {
2626
properties.put("mail.smtp.auth", "true");
27-
// properties.put("mail.smtp.ssl.checkserveridentity", "true");
2827
}
29-
final Session session = Session.getInstance(properties, authenticator);
28+
final Session session = Session.getInstance(properties, authenticator); // $hasInsecureJavaMail
29+
}
30+
31+
public void testSecureJavaMail() {
32+
final Properties properties = new Properties();
33+
properties.put("mail.transport.protocol", "protocol");
34+
properties.put("mail.smtp.host", "hostname");
35+
properties.put("mail.smtp.socketFactory.class", "classname");
36+
37+
final javax.mail.Authenticator authenticator = new javax.mail.Authenticator() {
38+
protected PasswordAuthentication getPasswordAuthentication() {
39+
return new PasswordAuthentication("username", "password");
40+
}
41+
};
42+
if (null != authenticator) {
43+
properties.put("mail.smtp.auth", "true");
44+
properties.put("mail.smtp.ssl.checkserveridentity", "true");
45+
}
46+
final Session session = Session.getInstance(properties, authenticator); // Safe
3047
}
3148

3249
public void testSimpleMail() throws Exception {
3350
Email email = new SimpleEmail();
3451
email.setHostName("config.hostName");
3552
email.setSmtpPort(25);
3653
email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
37-
email.setSSLOnConnect(true);
38-
// email.setSSLCheckServerIdentity(true);
54+
email.setSSLOnConnect(true); // $hasInsecureJavaMail
55+
email.setFrom("fromAddress");
56+
email.setSubject("subject");
57+
email.setMsg("body");
58+
email.addTo("toAddress");
59+
email.send();
60+
}
61+
62+
public void testSecureSimpleMail() throws Exception {
63+
Email email = new SimpleEmail();
64+
email.setHostName("config.hostName");
65+
email.setSmtpPort(25);
66+
email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
67+
email.setSSLOnConnect(true); // Safe
68+
email.setSSLCheckServerIdentity(true);
3969
email.setFrom("fromAddress");
4070
email.setSubject("subject");
4171
email.setMsg("body");

java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.ql

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
import java
2+
import semmle.code.java.security.Mail
3+
import TestUtilities.InlineExpectationsTest
4+
5+
class InsecureJavaMailTest extends InlineExpectationsTest {
6+
InsecureJavaMailTest() { this = "HasInsecureJavaMailTest" }
7+
8+
override string getARelevantTag() { result = "hasInsecureJavaMail" }
9+
10+
override predicate hasActualResult(Location location, string element, string tag, string value) {
11+
tag = "hasInsecureJavaMail" and
12+
exists(MethodAccess ma |
13+
ma.getLocation() = location and
14+
element = ma.toString() and
15+
value = ""
16+
|
17+
ma.getMethod() instanceof MailSessionGetInstanceMethod and
18+
isInsecureMailPropertyConfig(ma.getArgument(0))
19+
or
20+
enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier())
21+
)
22+
}
23+
}

0 commit comments

Comments
 (0)