Apply suggestions from code review

timoles · smowton · web-flow · commit e7021ffbee4f · 2021-05-25T12:53:47.000+02:00
More clear or precise wording within the documentation

Co-authored-by: Chris Smowton &lt;smowton@github.com&gt;
diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/CorrectJmxEnvironmentInitialisation.java b/java/ql/src/experimental/Security/CWE/CWE-665/CorrectJmxEnvironmentInitialisation.java
@@ -20,7 +20,7 @@ public void initAndStartJmxServer() throws IOException{
         String my_filter = "java.lang.String;!*"; // Deny everything but java.lang.String
         env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
                 
-        /* Old way
+        /* Java 9 or below:
         env.put("jmx.remote.rmi.server.credential.types",
                 new String[] { String[].class.getName(), String.class.getName() });
         */
diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/CorrectRmiEnvironmentInitialisation.java b/java/ql/src/experimental/Security/CWE/CWE-665/CorrectRmiEnvironmentInitialisation.java
@@ -10,7 +10,7 @@ public void initAndStartRmiServer(int port, String hostname, boolean local) {
         String my_filter = "java.lang.String;!*"; // Deny everything but java.lang.String
         env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
                 
-        /* Old way
+        /* Java 9 or below
         env.put("jmx.remote.rmi.server.credential.types",
                 new String[] { String[].class.getName(), String.class.getName() });
         */
diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qhelp
@@ -4,7 +4,7 @@
 <qhelp>
 <overview>
 <p>An improperly set environment variable during the creation of an RMI or JMX server can lead 
-to an unauthenticated remote code execution vulnerability. This is due to the fact that the
+to an unauthenticated remote code execution vulnerability. This is because the
 RMI/JMX server environment allows attackers to supply arbitrary objects to the authentication 
 method, resulting in the attempted deserialization of an attacker-controlled object.
 </overview>
@@ -15,7 +15,7 @@ to be passed as second parameter.
 In order to disallow the deserialization of arbitrary objects the passed environment needs to set a deserialization filter.
 Ideally this filter only allows the deserialization to <code>java.lang.String</code>.
 
-The filter can be configured by setting the key <code>jmx.remote.rmi.server.credentials.filter.pattern</code> (CONST variable <code>RMIConnectorServer.CREDENTIALS_FILTER_PATTERN</code>).
+The filter can be configured by setting the key <code>jmx.remote.rmi.server.credentials.filter.pattern</code> (given by the constant <code>RMIConnectorServer.CREDENTIALS_FILTER_PATTERN</code>).
 The filter should (ideally) only allow java.lang.String and disallow all other classes for deserialization: (<code>"java.lang.String;!*"</code>).
 
 The key-value pair can be set as following:
@@ -27,7 +27,7 @@ Map<String, Object> env = new HashMap<String, Object>;
 env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, my_filter);
 </code>
 
-For applications using &lt; Java 10:
+For applications using Java 9 or below:
 
 <code>
 // This is deprecated in Java 10+ !
diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
@@ -1,6 +1,6 @@
 /**
  * @name InsecureRmiJmxAuthenticationEnvironment
- * @description This query detects if a JMX/RMI server is created with a potentially dangerous environment, which could lead to code execution through insecure deserialization.
+ * @description Creating a JMX/RMI server could lead to code execution through insecure deserialization if its environment does not restrict the types that can be deserialized.
  * @kind path-problem
  * @problem.severity error
  * @tags security
@@ -17,14 +17,14 @@ import DataFlow::PathGraph
 import semmle.code.java.dataflow.NullGuards
 import semmle.code.java.dataflow.Nullness
 
-/** Predicate which detects vulnerable Constructors */
+/** Holds if `constructor` instantiates an RMI or JMX server. */
 predicate isRmiOrJmxServerCreateConstructor(Constructor constructor) {
   constructor
       .getDeclaringType()
       .hasQualifiedName("javax.management.remote.rmi", "RMIConnectorServer")
 }
 
-/** Predicate which detects vulnerable server creations via methods */
+/** Holds if `method` creates an RMI or JMX server. */
 predicate isRmiOrJmxServerCreateMethod(Method method) {
   method.getName() = "newJMXConnectorServer" and
   method.getDeclaringType().hasQualifiedName("javax.management.remote", "JMXConnectorServerFactory")
