Merge pull request #611 from aschackmull/java/usessl-fp-fix

Java: Fix FP in `UseSSL.ql`.
2026-05-02 12:15:17 +02:00 · 2018-12-04 19:31:53 -05:00
parent d05b11f00d d3fcfb0957
commit 00779c518c
4 changed files with 23 additions and 2 deletions
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
@@ -0,0 +1,14 @@
+import java.net.HttpURLConnection;
+import javax.net.ssl.HttpsURLConnection;
+import java.io.*;
+
+class Test {
+  public void m1(HttpURLConnection connection) {
+    InputStream input;
+    if (connection instanceof HttpsURLConnection) {
+      input = connection.getInputStream(); // OK
+    } else {
+      input = connection.getInputStream(); // BAD
+    }
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
@@ -0,0 +1 @@
+| Test.java:11:15:11:41 | getInputStream(...) | Stream using vulnerable non-SSL connection. |
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.qlref
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-319/UseSSL.ql
				`@@ -0,0 +1 @@`
				`\| Test.java:11:15:11:41 \| getInputStream(...) \| Stream using vulnerable non-SSL connection. \|`