Generalize sanitizer using local flow

java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll

@@ -55,9 +55,10 @@ abstract class SslUnsafeCertTrustSanitizer extends DataFlow::Node { }
  */
 private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {
   SslConnectionWithSafeSslParameters() {
-    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe |
+    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe, DataFlow::Node sanitizer |
       config.hasFlowTo(safe) and
-      this = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier())
+      sanitizer = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier()) and
+      DataFlow::localFlow(sanitizer, this)
     )
   }
 }
@@ -72,7 +73,7 @@ private class SslEngineServerMode extends SslUnsafeCertTrustSanitizer {
       m.getDeclaringType().getASupertype*() instanceof SSLEngine and
       ma.getMethod() = m and
       ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false and
-      this = DataFlow::exprNode(ma.getQualifier())
+      this.asExpr() = ma.getQualifier()
     )
   }
 }

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java

@@ -116,6 +116,18 @@ public class UnsafeCertTrustTest {
 		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
 	}
 
+	public void testSSLSocketEndpointIdSafeWithConditionalSanitizer(boolean safe) throws Exception {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
+		if (safe) {
+			SSLParameters sslParameters = socket.getSSLParameters();
+			onSetSSLParameters(sslParameters);
+			socket.setSSLParameters(sslParameters);
+		}
+		socket.getOutputStream(); // Safe
+	}
+
 	public void testSocketEndpointIdNotSet() throws Exception {
 		SocketFactory socketFactory = SocketFactory.getDefault();
 		Socket socket = socketFactory.createSocket("www.example.com", 80);