Decouple UnsafeCertTrust.qll to reuse the taint tracking configuration

java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql

@@ -12,20 +12,7 @@
  */
 
 import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.UnsafeCertTrust
-
-class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
-  SslEndpointIdentificationFlowConfig() { this = "SslEndpointIdentificationFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer instanceof SslUnsafeCertTrustSanitizer
-  }
-}
+import semmle.code.java.security.UnsafeCertTrustQuery
 
 from Expr unsafeTrust
 where

java/ql/src/change-notes/2021-06-28-unsafe-cert-trust-query.md

@@ -1,4 +1,4 @@
 ---
 category: newQuery
 ---
-* The query "Unsafe certificate trust" (`java/unsafe-cert-trust`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3550)
+* The query "Unsafe certificate trust" (`java/unsafe-cert-trust`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3550).

java/ql/src/semmle/code/java/security/UnsafeCertTrustQuery.qll

@@ -0,0 +1,62 @@
+/** Provides taint tracking configurations to be used by unsafe certificate trust queries. */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.UnsafeCertTrust
+import semmle.code.java.security.Encryption
+
+class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
+  SslEndpointIdentificationFlowConfig() { this = "SslEndpointIdentificationFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof SslUnsafeCertTrustSanitizer
+  }
+}
+
+/**
+ * An SSL object that was assigned a safe `SSLParameters` object and can be considered safe.
+ */
+private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {
+  SslConnectionWithSafeSslParameters() {
+    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe, DataFlow::Node sanitizer |
+      config.hasFlowTo(safe) and
+      sanitizer = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier()) and
+      DataFlow::localFlow(sanitizer, this)
+    )
+  }
+}
+
+private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
+  SafeSslParametersFlowConfig() { this = "SafeSslParametersFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(MethodAccess ma |
+      ma instanceof SafeSetEndpointIdentificationAlgorithm and
+      DataFlow::getInstanceArgument(ma) = source.(DataFlow::PostUpdateNode).getPreUpdateNode()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma, RefType t | t instanceof SSLSocket or t instanceof SSLEngine |
+      ma.getMethod().hasName("setSSLParameters") and
+      ma.getMethod().getDeclaringType().getASupertype*() = t and
+      ma.getArgument(0) = sink.asExpr()
+    )
+  }
+}
+
+/**
+ * A call to `SSLParameters.setEndpointIdentificationAlgorithm` with a non-null and non-zero parameter.
+ */
+private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
+  SafeSetEndpointIdentificationAlgorithm() {
+    this.getMethod().hasName("setEndpointIdentificationAlgorithm") and
+    this.getMethod().getDeclaringType() instanceof SSLParameters and
+    not this.getArgument(0) instanceof NullLiteral and
+    not this.getArgument(0).(CompileTimeConstantExpr).getStringValue().length() = 0
+  }
+}