Fix assumption regarding when an SSLSocket does the TLS handhsake

2026-04-26 09:15:12 +02:00 · 2021-06-23 13:02:57 +02:00
parent e842acf9e0
commit 4508945f85
3 changed files with 26 additions and 63 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/Networking.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Networking.qll
@@ -47,6 +47,14 @@ class SocketGetInputStreamMethod extends Method {
  }
 }

+class SocketGetOutputStreamMethod extends Method {
+  SocketGetOutputStreamMethod() {
+    this.getDeclaringType() instanceof TypeSocket and
+    this.hasName("getOutputStream") and
+    this.hasNoParameters()
+  }
+}
+
 /** A method or constructor call that returns a new `URI`. */
 class UriCreation extends Call {
  UriCreation() {
@@ -152,7 +160,7 @@ class UrlOpenConnectionMethod extends Method {
 class CreateSocketMethod extends Method {
  CreateSocketMethod() {
    this.hasName("createSocket") and
-    this.getDeclaringType() instanceof TypeSocketFactory
+    this.getDeclaringType().getASupertype*() instanceof TypeSocketFactory
  }
 }

--- a/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll
+++ b/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll
@@ -13,8 +13,14 @@ private import semmle.code.java.dataflow.DataFlow2
 */
 class SslConnectionInit extends DataFlow::Node {
  SslConnectionInit() {
-    this.asExpr().(MethodAccess).getMethod() instanceof CreateSslEngineMethod or
-    this.asExpr().(MethodAccess).getMethod() instanceof CreateSocketMethod
+    exists(MethodAccess ma, Method m |
+      this.asExpr() = ma and
+      ma.getMethod() = m
+    |
+      m instanceof CreateSslEngineMethod
+      or
+      m instanceof CreateSocketMethod and isSslSocket(ma)
+    )
  }
 }

@@ -29,21 +35,11 @@ class SslConnectionCreation extends DataFlow::Node {
      m instanceof BeginHandshakeMethod or
      m instanceof SslWrapMethod or
      m instanceof SslUnwrapMethod or
-      m instanceof SocketConnectMethod
+      m instanceof SocketGetOutputStreamMethod
    |
      ma.getMethod() = m and
      this.asExpr() = ma.getQualifier()
    )
-    or
-    // calls to SocketFactory.createSocket with parameters immediately create the connection
-    exists(MethodAccess ma, Method m |
-      ma.getMethod() = m and
-      m instanceof CreateSocketMethod and
-      m.getNumberOfParameters() > 0 and
-      isSslSocket(ma)
-    |
-      this.asExpr() = ma
-    )
  }
 }