Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e43fff2

Browse files
atorralbaatorralba
committed
Use InlineExpectationsTest
1 parent 02d0fa9 commit e43fff2

7 files changed

Lines changed: 78 additions & 29 deletions

File tree

java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,9 @@ class SslConnectionCreation extends DataFlow::Node {
3434
// calls to SocketFactory.createSocket with parameters immediately create the connection
3535
exists(MethodAccess ma, Method m |
3636
ma.getMethod() = m and
37-
m instanceof CreateSocket and
38-
m.getNumberOfParameters() > 0
37+
m instanceof CreateSocketMethod and
38+
m.getNumberOfParameters() > 0 and
39+
isSslSocket(ma)
3940
|
4041
this.asExpr() = ma
4142
)
@@ -55,6 +56,20 @@ class SslConnectionWithSafeSslParameters extends DataFlow::Node {
5556
}
5657
}
5758

59+
/**
60+
* Holds if the return value of `createSocket` is cast to `SSLSocket`
61+
* or the qualifier of `createSocket` is an instance of `SSLSocketFactory`.
62+
*/
63+
private predicate isSslSocket(MethodAccess createSocket) {
64+
exists(Variable ssl, CastExpr ce |
65+
ce.getExpr() = createSocket and
66+
ce.getControlFlowNode().getASuccessor().(VariableAssign).getDestVar() = ssl and
67+
ssl.getType() instanceof SSLSocket
68+
)
69+
or
70+
createSocket.getQualifier().getType().(RefType).getASupertype*() instanceof SSLSocketFactory
71+
}
72+
5873
private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
5974
SafeSslParametersFlowConfig() { this = "SafeSslParametersFlowConfig" }
6075

@@ -85,7 +100,7 @@ private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
85100

86101
/**
87102
* A call to the method `useSslProtocol` on an instance of `com.rabbitmq.client.ConnectionFactory`
88-
* that doesn't have `enableHostnameVerification` set.
103+
* that doesn't set `enableHostnameVerification`.
89104
*/
90105
class RabbitMQEnableHostnameVerificationNotSet extends MethodAccess {
91106
RabbitMQEnableHostnameVerificationNotSet() {

java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,10 @@ class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
2727
}
2828
}
2929

30-
from Expr unsafeConfig
30+
from Expr unsafeTrust
3131
where
32-
unsafeConfig instanceof RabbitMQEnableHostnameVerificationNotSet or
32+
unsafeTrust instanceof RabbitMQEnableHostnameVerificationNotSet or
3333
exists(SslEndpointIdentificationFlowConfig config |
34-
config.hasFlowTo(DataFlow::exprNode(unsafeConfig))
34+
config.hasFlowTo(DataFlow::exprNode(unsafeTrust))
3535
)
36-
select unsafeConfig, "Unsafe configuration of trusted certificates"
36+
select unsafeTrust, "Unsafe configuration of trusted certificates"

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrust.expected

Lines changed: 0 additions & 3 deletions
This file was deleted.

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrust.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.expected

Whitespace-only changes.

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorith
1919
SSLParameters sslParameters = sslEngine.getSSLParameters();
2020
sslParameters.setEndpointIdentificationAlgorithm(null);
2121
sslEngine.setSSLParameters(sslParameters);
22-
sslEngine.getSession();
22+
sslEngine.getSession(); // $hasUnsafeCertTrust
2323
}
2424

2525
/**
@@ -28,7 +28,7 @@ public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorith
2828
public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException {
2929
SSLContext sslContext = SSLContext.getInstance("TLS");
3030
SSLEngine sslEngine = sslContext.createSSLEngine();
31-
sslEngine.getSession();
31+
sslEngine.getSession(); // $hasUnsafeCertTrust
3232
}
3333

3434
/**
@@ -40,7 +40,7 @@ public void testSSLEngineEndpointIdSafe() throws java.security.NoSuchAlgorithmEx
4040
SSLParameters sslParameters = sslEngine.getSSLParameters();
4141
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
4242
sslEngine.setSSLParameters(sslParameters);
43-
sslEngine.getSession();
43+
sslEngine.getSession(); // Safe
4444
}
4545

4646
/**
@@ -49,8 +49,8 @@ public void testSSLEngineEndpointIdSafe() throws java.security.NoSuchAlgorithmEx
4949
public void testSSLSocketImmediatelyConnects()
5050
throws java.security.NoSuchAlgorithmException, java.io.IOException {
5151
SSLContext sslContext = SSLContext.getInstance("TLS");
52-
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
53-
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
52+
SocketFactory socketFactory = sslContext.getSocketFactory();
53+
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust
5454
}
5555

5656
/**
@@ -59,9 +59,9 @@ public void testSSLSocketImmediatelyConnects()
5959
public void testSSLSocketEndpointIdNotSet()
6060
throws java.security.NoSuchAlgorithmException, java.io.IOException {
6161
SSLContext sslContext = SSLContext.getInstance("TLS");
62-
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
62+
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
6363
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
64-
socket.connect(new InetSocketAddress("www.example.com", 443));
64+
socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
6565
}
6666

6767
/**
@@ -70,12 +70,12 @@ public void testSSLSocketEndpointIdNotSet()
7070
public void testSSLSocketEndpointIdSetNull()
7171
throws java.security.NoSuchAlgorithmException, java.io.IOException {
7272
SSLContext sslContext = SSLContext.getInstance("TLS");
73-
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
73+
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
7474
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
7575
SSLParameters sslParameters = socket.getSSLParameters();
7676
sslParameters.setEndpointIdentificationAlgorithm(null);
7777
socket.setSSLParameters(sslParameters);
78-
socket.connect(new InetSocketAddress("www.example.com", 443));
78+
socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
7979
}
8080

8181
/**
@@ -84,12 +84,12 @@ public void testSSLSocketEndpointIdSetNull()
8484
public void testSSLSocketEndpointIdSetEmpty()
8585
throws java.security.NoSuchAlgorithmException, java.io.IOException {
8686
SSLContext sslContext = SSLContext.getInstance("TLS");
87-
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
87+
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
8888
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
8989
SSLParameters sslParameters = socket.getSSLParameters();
9090
sslParameters.setEndpointIdentificationAlgorithm("");
9191
socket.setSSLParameters(sslParameters);
92-
socket.connect(new InetSocketAddress("www.example.com", 443));
92+
socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
9393
}
9494

9595
/**
@@ -98,8 +98,8 @@ public void testSSLSocketEndpointIdSetEmpty()
9898
public void testSSLSocketEndpointIdAfterConnecting()
9999
throws java.security.NoSuchAlgorithmException, java.io.IOException {
100100
SSLContext sslContext = SSLContext.getInstance("TLS");
101-
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
102-
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
101+
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
102+
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust
103103
SSLParameters sslParameters = socket.getSSLParameters();
104104
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
105105
socket.setSSLParameters(sslParameters);
@@ -111,36 +111,36 @@ public void testSSLSocketEndpointIdAfterConnecting()
111111
public void testSSLSocketEndpointIdSafe()
112112
throws java.security.NoSuchAlgorithmException, java.io.IOException {
113113
SSLContext sslContext = SSLContext.getInstance("TLS");
114-
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
114+
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
115115
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
116116
SSLParameters sslParameters = socket.getSSLParameters();
117117
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
118118
socket.setSSLParameters(sslParameters);
119-
socket.connect(new InetSocketAddress("www.example.com", 443));
119+
socket.connect(new InetSocketAddress("www.example.com", 443)); // Safe
120120
}
121121

122122
/**
123123
* Test the endpoint identification of regular socket is not set
124124
*/
125125
public void testSocketEndpointIdNotSet() throws java.io.IOException {
126126
SocketFactory socketFactory = SocketFactory.getDefault();
127-
Socket socket = socketFactory.createSocket("www.example.com", 80);
127+
Socket socket = socketFactory.createSocket("www.example.com", 80); // Safe
128128
}
129129

130130
/**
131131
* Test the enableHostnameVerification of RabbitMQConnectionFactory is not set
132132
*/
133133
public void testRabbitMQFactoryEnableHostnameVerificationNotSet() throws Exception {
134134
ConnectionFactory connectionFactory = new ConnectionFactory();
135-
connectionFactory.useSslProtocol();
135+
connectionFactory.useSslProtocol(); // $hasUnsafeCertTrust
136136
}
137137

138138
/**
139139
* Test the enableHostnameVerification of RabbitMQConnectionFactory is not set
140140
*/
141141
public void testRabbitMQFactorySafe() throws Exception {
142142
ConnectionFactory connectionFactory = new ConnectionFactory();
143-
connectionFactory.useSslProtocol();
143+
connectionFactory.useSslProtocol(); // Safe
144144
connectionFactory.enableHostnameVerification();
145145
}
146146
}

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
import java
2+
import semmle.code.java.dataflow.FlowSources
3+
import semmle.code.java.dataflow.TaintTracking
4+
import semmle.code.java.security.UnsafeCertTrust
5+
import TestUtilities.InlineExpectationsTest
6+
7+
class Conf extends TaintTracking::Configuration {
8+
Conf() { this = "qltest:cwe:unsafe-cert-trust" }
9+
10+
override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
11+
12+
override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
13+
14+
override predicate isSanitizer(DataFlow::Node sanitizer) {
15+
sanitizer instanceof SslConnectionWithSafeSslParameters
16+
}
17+
}
18+
19+
class UnsafeCertTrustTest extends InlineExpectationsTest {
20+
UnsafeCertTrustTest() { this = "HasUnsafeCertTrustTest" }
21+
22+
override string getARelevantTag() { result = "hasUnsafeCertTrust" }
23+
24+
override predicate hasActualResult(Location location, string element, string tag, string value) {
25+
tag = "hasUnsafeCertTrust" and
26+
exists(Expr unsafeTrust |
27+
unsafeTrust instanceof X509TrustAllManagerInit
28+
or
29+
unsafeTrust instanceof RabbitMQEnableHostnameVerificationNotSet
30+
or
31+
exists(Conf config | config.hasFlowTo(DataFlow::exprNode(unsafeTrust)))
32+
|
33+
unsafeTrust.getLocation() = location and
34+
element = unsafeTrust.toString() and
35+
value = ""
36+
)
37+
}
38+
}

0 commit comments

Comments
 (0)