From 5d4cd70f8cdc9877abb0cac828f2b16a74179e62 Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Tue, 22 Jun 2021 17:53:15 +0200 Subject: [PATCH] Adjusted sources and sanitizer of UnsafeCertTrust taint tracking config --- .../semmle/code/java/security/Encryption.qll | 24 ++ .../code/java/security/UnsafeCertTrust.qll | 31 +- .../Security/CWE/CWE-273/UnsafeCertTrust.ql | 2 +- .../semmle/code/java/security/Encryption.qll | 373 ++++++++++++++++++ .../security/CWE-273/UnsafeCertTrustTest.java | 56 ++- .../security/CWE-273/UnsafeCertTrustTest.ql | 2 +- 6 files changed, 463 insertions(+), 25 deletions(-) create mode 100644 java/ql/src/semmle/code/java/security/Encryption.qll diff --git a/java/ql/lib/semmle/code/java/security/Encryption.qll b/java/ql/lib/semmle/code/java/security/Encryption.qll index 3ae5fdf3d9d..57c91d9cd55 100644 --- a/java/ql/lib/semmle/code/java/security/Encryption.qll +++ b/java/ql/lib/semmle/code/java/security/Encryption.qll @@ -122,6 +122,30 @@ class SetDefaultHostnameVerifierMethod extends Method { } } +/** The `beginHandshake` method of the class `javax.net.ssl.SSLEngine`. */ +class BeginHandshakeMethod extends Method { + BeginHandshakeMethod() { + this.hasName("beginHandshake") and + this.getDeclaringType().getASupertype*() instanceof SSLEngine + } +} + +/** The `wrap` method of the class `javax.net.ssl.SSLEngine`. */ +class SslWrapMethod extends Method { + SslWrapMethod() { + this.hasName("wrap") and + this.getDeclaringType().getASupertype*() instanceof SSLEngine + } +} + +/** The `unwrap` method of the class `javax.net.ssl.SSLEngine`. */ +class SslUnwrapMethod extends Method { + SslUnwrapMethod() { + this.hasName("unwrap") and + this.getDeclaringType().getASupertype*() instanceof SSLEngine + } +} + /** The `getSession` method of the class `javax.net.ssl.SSLSession`.select */ class GetSslSessionMethod extends Method { GetSslSessionMethod() { diff --git a/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll b/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll index 986472fa58b..64efc5130af 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll @@ -8,6 +8,7 @@ private import semmle.code.java.dataflow.DataFlow2 /** * The creation of an object that prepares an SSL connection. + * * This is a source for `SslEndpointIdentificationFlowConfig`. */ class SslConnectionInit extends DataFlow::Node { @@ -19,12 +20,15 @@ class SslConnectionInit extends DataFlow::Node { /** * A call to a method that establishes an SSL connection. + * * This is a sink for `SslEndpointIdentificationFlowConfig`. */ class SslConnectionCreation extends DataFlow::Node { SslConnectionCreation() { exists(MethodAccess ma, Method m | - m instanceof GetSslSessionMethod or + m instanceof BeginHandshakeMethod or + m instanceof SslWrapMethod or + m instanceof SslUnwrapMethod or m instanceof SocketConnectMethod | ma.getMethod() = m and @@ -44,10 +48,16 @@ class SslConnectionCreation extends DataFlow::Node { } /** - * An SSL object that was assigned a safe `SSLParameters` object and can be considered safe. + * An SSL object that correctly verifies hostnames, or doesn't need to (because e.g. it's a server). + * * This is a sanitizer for `SslEndpointIdentificationFlowConfig`. */ -class SslConnectionWithSafeSslParameters extends DataFlow::Node { +abstract class SslUnsafeCertTrustSanitizer extends DataFlow::Node { } + +/** + * An SSL object that was assigned a safe `SSLParameters` object and can be considered safe. + */ +private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer { SslConnectionWithSafeSslParameters() { exists(SafeSslParametersFlowConfig config, DataFlow::Node safe | config.hasFlowTo(safe) and @@ -56,6 +66,21 @@ class SslConnectionWithSafeSslParameters extends DataFlow::Node { } } +/** + * An `SSLEngine` set in server mode. + */ +private class SslEngineServerMode extends SslUnsafeCertTrustSanitizer { + SslEngineServerMode() { + exists(MethodAccess ma, Method m | + m.hasName("setUseClientMode") and + m.getDeclaringType().getASupertype*() instanceof SSLEngine and + ma.getMethod() = m and + ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false and + this = DataFlow::exprNode(ma.getQualifier()) + ) + } +} + /** * Holds if the return value of `createSocket` is cast to `SSLSocket` * or the qualifier of `createSocket` is an instance of `SSLSocketFactory`. diff --git a/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql b/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql index 8ab77389d36..2893329a4c3 100644 --- a/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql +++ b/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql @@ -23,7 +23,7 @@ class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation } override predicate isSanitizer(DataFlow::Node sanitizer) { - sanitizer instanceof SslConnectionWithSafeSslParameters + sanitizer instanceof SslUnsafeCertTrustSanitizer } } diff --git a/java/ql/src/semmle/code/java/security/Encryption.qll b/java/ql/src/semmle/code/java/security/Encryption.qll new file mode 100644 index 00000000000..05720974dea --- /dev/null +++ b/java/ql/src/semmle/code/java/security/Encryption.qll @@ -0,0 +1,373 @@ +/** + * Provides predicates and classes relating to encryption in Java. + */ + +import java + +class SSLClass extends RefType { + SSLClass() { + exists(Class c | this.getASupertype*() = c | + c.hasQualifiedName("javax.net.ssl", _) or + c.hasQualifiedName("javax.rmi.ssl", _) + ) + } +} + +class X509TrustManager extends RefType { + X509TrustManager() { this.hasQualifiedName("javax.net.ssl", "X509TrustManager") } +} + +class HttpsURLConnection extends RefType { + HttpsURLConnection() { hasQualifiedName("javax.net.ssl", "HttpsURLConnection") } +} + +class SSLSocketFactory extends RefType { + SSLSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") } +} + +class SSLContext extends RefType { + SSLContext() { hasQualifiedName("javax.net.ssl", "SSLContext") } +} + +/** The `javax.net.ssl.SSLSession` class. */ +class SSLSession extends RefType { + SSLSession() { hasQualifiedName("javax.net.ssl", "SSLSession") } +} + +class SSLEngine extends RefType { + SSLEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") } +} + +class SSLSocket extends RefType { + SSLSocket() { this.hasQualifiedName("javax.net.ssl", "SSLSocket") } +} + +/** The `javax.net.ssl.SSLParameters` class. */ +class SSLParameters extends RefType { + SSLParameters() { this.hasQualifiedName("javax.net.ssl", "SSLParameters") } +} + +class HostnameVerifier extends RefType { + HostnameVerifier() { hasQualifiedName("javax.net.ssl", "HostnameVerifier") } +} + +/** The Java class `javax.crypto.KeyGenerator`. */ +class KeyGenerator extends RefType { + KeyGenerator() { this.hasQualifiedName("javax.crypto", "KeyGenerator") } +} + +/** The Java class `java.security.KeyPairGenerator`. */ +class KeyPairGenerator extends RefType { + KeyPairGenerator() { this.hasQualifiedName("java.security", "KeyPairGenerator") } +} + +/** The `verify` method of the class `javax.net.ssl.HostnameVerifier`. */ +class HostnameVerifierVerify extends Method { + HostnameVerifierVerify() { + hasName("verify") and + getDeclaringType().getASupertype*() instanceof HostnameVerifier and + getParameterType(0) instanceof TypeString and + getParameterType(1) instanceof SSLSession + } +} + +class TrustManagerCheckMethod extends Method { + TrustManagerCheckMethod() { + (this.hasName("checkClientTrusted") or this.hasName("checkServerTrusted")) and + this.getDeclaringType().getASupertype*() instanceof X509TrustManager + } +} + +class CreateSocket extends Method { + CreateSocket() { + hasName("createSocket") and + getDeclaringType() instanceof SSLSocketFactory + } +} + +class GetSocketFactory extends Method { + GetSocketFactory() { + hasName("getSocketFactory") and + getDeclaringType() instanceof SSLContext + } +} + +/** The `createSSLEngine` method of the class `javax.net.ssl.SSLContext` */ +class CreateSslEngineMethod extends Method { + CreateSslEngineMethod() { + this.hasName("createSSLEngine") and + this.getDeclaringType() instanceof SSLContext + } +} + +class SetConnectionFactoryMethod extends Method { + SetConnectionFactoryMethod() { + hasName("setSSLSocketFactory") and + getDeclaringType().getASupertype*() instanceof HttpsURLConnection + } +} + +class SetHostnameVerifierMethod extends Method { + SetHostnameVerifierMethod() { + hasName("setHostnameVerifier") and + getDeclaringType().getASupertype*() instanceof HttpsURLConnection + } +} + +/** The `setDefaultHostnameVerifier` method of the class `javax.net.ssl.HttpsURLConnection`. */ +class SetDefaultHostnameVerifierMethod extends Method { + SetDefaultHostnameVerifierMethod() { + hasName("setDefaultHostnameVerifier") and + getDeclaringType().getASupertype*() instanceof HttpsURLConnection + } +} + +/** The `beginHandshake` method of the class `javax.net.ssl.SSLEngine`. */ +class BeginHandshakeMethod extends Method { + BeginHandshakeMethod() { + hasName("beginHandshake") and + getDeclaringType().getASupertype*() instanceof SSLEngine + } +} + +/** The `wrap` method of the class `javax.net.ssl.SSLEngine`. */ +class SslWrapMethod extends Method { + SslWrapMethod() { + hasName("wrap") and + getDeclaringType().getASupertype*() instanceof SSLEngine + } +} + +/** The `unwrap` method of the class `javax.net.ssl.SSLEngine`. */ +class SslUnwrapMethod extends Method { + SslUnwrapMethod() { + hasName("unwrap") and + getDeclaringType().getASupertype*() instanceof SSLEngine + } +} + +bindingset[algorithmString] +private string algorithmRegex(string algorithmString) { + // Algorithms usually appear in names surrounded by characters that are not + // alphabetical characters in the same case. This handles the upper and lower + // case cases. + result = + "((^|.*[^A-Z])(" + algorithmString + ")([^A-Z].*|$))" + + // or... + "|" + + // For lowercase, we want to be careful to avoid being confused by camelCase + // hence we require two preceding uppercase letters to be sure of a case switch, + // or a preceding non-alphabetic character + "((^|.*[A-Z]{2}|.*[^a-zA-Z])(" + algorithmString.toLowerCase() + ")([^a-z].*|$))" +} + +/** + * Gets the name of an algorithm that is known to be insecure. + */ +string getAnInsecureAlgorithmName() { + result = + [ + "DES", "RC2", "RC4", "RC5", + // ARCFOUR is a variant of RC4 + "ARCFOUR", + // Encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay and other attacks + "ECB", + // CBC mode of operation with PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks + "AES/CBC/PKCS[57]Padding" + ] +} + +/** + * Gets the name of a hash algorithm that is insecure if it is being used for + * encryption. + */ +string getAnInsecureHashAlgorithmName() { + result = "SHA1" or + result = "MD5" +} + +private string rankedInsecureAlgorithm(int i) { + // In this case we know these are being used for encryption, so we want to match + // weak hash algorithms too. + result = + rank[i](string s | s = getAnInsecureAlgorithmName() or s = getAnInsecureHashAlgorithmName()) +} + +private string insecureAlgorithmString(int i) { + i = 1 and result = rankedInsecureAlgorithm(i) + or + result = rankedInsecureAlgorithm(i) + "|" + insecureAlgorithmString(i - 1) +} + +/** + * Gets the regular expression used for matching strings that look like they + * contain an algorithm that is known to be insecure. + */ +string getInsecureAlgorithmRegex() { + result = algorithmRegex(insecureAlgorithmString(max(int i | exists(rankedInsecureAlgorithm(i))))) +} + +/** + * Gets the name of an algorithm that is known to be secure. + */ +string getASecureAlgorithmName() { + result = + [ + "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES([^a-zA-Z](?!ECB|CBC/PKCS[57]Padding)).*", + "Blowfish", "ECIES" + ] +} + +private string rankedSecureAlgorithm(int i) { result = rank[i](getASecureAlgorithmName()) } + +private string secureAlgorithmString(int i) { + i = 1 and result = rankedSecureAlgorithm(i) + or + result = rankedSecureAlgorithm(i) + "|" + secureAlgorithmString(i - 1) +} + +/** + * Gets a regular expression for matching strings that look like they + * contain an algorithm that is known to be secure. + */ +string getSecureAlgorithmRegex() { + result = algorithmRegex(secureAlgorithmString(max(int i | exists(rankedSecureAlgorithm(i))))) +} + +/** + * DEPRECATED: Terminology has been updated. Use `getAnInsecureAlgorithmName()` + * instead. + */ +deprecated string algorithmBlacklist() { result = getAnInsecureAlgorithmName() } + +/** + * DEPRECATED: Terminology has been updated. Use + * `getAnInsecureHashAlgorithmName()` instead. + */ +deprecated string hashAlgorithmBlacklist() { result = getAnInsecureHashAlgorithmName() } + +/** + * DEPRECATED: Terminology has been updated. Use `getInsecureAlgorithmRegex()` instead. + */ +deprecated string algorithmBlacklistRegex() { result = getInsecureAlgorithmRegex() } + +/** + * DEPRECATED: Terminology has been updated. Use `getASecureAlgorithmName()` + * instead. + */ +deprecated string algorithmWhitelist() { result = getASecureAlgorithmName() } + +/** + * DEPRECATED: Terminology has been updated. Use `getSecureAlgorithmRegex()` instead. + */ +deprecated string algorithmWhitelistRegex() { result = getSecureAlgorithmRegex() } + +/** + * Any use of a cryptographic element that specifies an encryption + * algorithm. For example, methods returning ciphers, decryption methods, + * constructors of cipher classes, etc. + */ +abstract class CryptoAlgoSpec extends Top { + CryptoAlgoSpec() { this instanceof Call } + + abstract Expr getAlgoSpec(); +} + +abstract class JavaxCryptoAlgoSpec extends CryptoAlgoSpec { } + +class JavaxCryptoCipher extends JavaxCryptoAlgoSpec { + JavaxCryptoCipher() { + exists(Method m | m.getAReference() = this | + m.getDeclaringType().getQualifiedName() = "javax.crypto.Cipher" and + m.getName() = "getInstance" + ) + } + + override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) } +} + +class JavaxCryptoSecretKey extends JavaxCryptoAlgoSpec { + JavaxCryptoSecretKey() { + exists(Constructor c | c.getAReference() = this | + c.getDeclaringType().getQualifiedName() = "javax.crypto.spec.SecretKeySpec" + ) + } + + override Expr getAlgoSpec() { + exists(ConstructorCall c | c = this | + if c.getNumArgument() = 2 then result = c.getArgument(1) else result = c.getArgument(3) + ) + } +} + +class JavaxCryptoKeyGenerator extends JavaxCryptoAlgoSpec { + JavaxCryptoKeyGenerator() { + exists(Method m | m.getAReference() = this | + m.getDeclaringType() instanceof KeyGenerator and + m.getName() = "getInstance" + ) + } + + override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) } +} + +class JavaxCryptoKeyAgreement extends JavaxCryptoAlgoSpec { + JavaxCryptoKeyAgreement() { + exists(Method m | m.getAReference() = this | + m.getDeclaringType().getQualifiedName() = "javax.crypto.KeyAgreement" and + m.getName() = "getInstance" + ) + } + + override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) } +} + +class JavaxCryptoKeyFactory extends JavaxCryptoAlgoSpec { + JavaxCryptoKeyFactory() { + exists(Method m | m.getAReference() = this | + m.getDeclaringType().getQualifiedName() = "javax.crypto.SecretKeyFactory" and + m.getName() = "getInstance" + ) + } + + override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) } +} + +abstract class JavaSecurityAlgoSpec extends CryptoAlgoSpec { } + +class JavaSecurityMessageDigest extends JavaSecurityAlgoSpec { + JavaSecurityMessageDigest() { + exists(Constructor c | c.getAReference() = this | + c.getDeclaringType().hasQualifiedName("java.security", "MessageDigest") + ) + or + exists(Method m | m.getAReference() = this | + m.getDeclaringType().hasQualifiedName("java.security", "MessageDigest") and + m.getName() = "getInstance" + ) + } + + override Expr getAlgoSpec() { result = this.(Call).getArgument(0) } +} + +class JavaSecuritySignature extends JavaSecurityAlgoSpec { + JavaSecuritySignature() { + exists(Constructor c | c.getAReference() = this | + c.getDeclaringType().getQualifiedName() = "java.security.Signature" + ) + } + + override Expr getAlgoSpec() { result = this.(ConstructorCall).getArgument(0) } +} + +/** A method call to the Java class `java.security.KeyPairGenerator`. */ +class JavaSecurityKeyPairGenerator extends JavaxCryptoAlgoSpec { + JavaSecurityKeyPairGenerator() { + exists(Method m | m.getAReference() = this | + m.getDeclaringType() instanceof KeyPairGenerator and + m.getName() = "getInstance" + ) + } + + override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) } +} diff --git a/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java b/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java index 6b65cda8868..181ce1d9a4f 100644 --- a/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java +++ b/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java @@ -1,5 +1,6 @@ import java.net.InetSocketAddress; import java.net.Socket; +import java.nio.ByteBuffer; import javax.net.SocketFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; @@ -13,41 +14,61 @@ public class UnsafeCertTrustTest { /** * Test the endpoint identification of SSL engine is set to null */ - public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorithmException { + public void testSSLEngineEndpointIdSetNull() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SSLEngine sslEngine = sslContext.createSSLEngine(); SSLParameters sslParameters = sslEngine.getSSLParameters(); sslParameters.setEndpointIdentificationAlgorithm(null); sslEngine.setSSLParameters(sslParameters); - sslEngine.getSession(); // $hasUnsafeCertTrust + sslEngine.beginHandshake(); // $hasUnsafeCertTrust + sslEngine.wrap(new ByteBuffer[] {}, null); // $hasUnsafeCertTrust + sslEngine.unwrap(null, null, 0, 0); // $hasUnsafeCertTrust } /** - * Test the endpoint identification of SSL engine is not set + * Test the endpoint identification of SSL engine is set to null */ - public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException { + public void testSSLEngineEndpointIdSetEmpty() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SSLEngine sslEngine = sslContext.createSSLEngine(); - sslEngine.getSession(); // $hasUnsafeCertTrust + SSLParameters sslParameters = sslEngine.getSSLParameters(); + sslParameters.setEndpointIdentificationAlgorithm(""); + sslEngine.setSSLParameters(sslParameters); + sslEngine.beginHandshake(); // $hasUnsafeCertTrust + sslEngine.wrap(new ByteBuffer[] {}, null); // $hasUnsafeCertTrust + sslEngine.unwrap(null, null, 0, 0); // $hasUnsafeCertTrust } /** * Test the endpoint identification of SSL engine is set to HTTPS */ - public void testSSLEngineEndpointIdSafe() throws java.security.NoSuchAlgorithmException { + public void testSSLEngineEndpointIdSafe() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SSLEngine sslEngine = sslContext.createSSLEngine(); SSLParameters sslParameters = sslEngine.getSSLParameters(); sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); sslEngine.setSSLParameters(sslParameters); - sslEngine.getSession(); // Safe + sslEngine.beginHandshake(); // Safe + sslEngine.wrap(new ByteBuffer[] {}, null); // Safe + sslEngine.unwrap(null, null, 0, 0); // Safe + } + + /** + * Test the endpoint identification of SSL engine is set to HTTPS + */ + public void testSSLEngineInServerMode() throws Exception { + SSLContext sslContext = SSLContext.getInstance("TLS"); + SSLEngine sslEngine = sslContext.createSSLEngine(); + sslEngine.setUseClientMode(false); + sslEngine.beginHandshake(); // Safe + sslEngine.wrap(new ByteBuffer[] {}, null); // Safe + sslEngine.unwrap(null, null, 0, 0); // Safe } /** * Test the endpoint identification of SSL socket is not set */ - public void testSSLSocketImmediatelyConnects() - throws java.security.NoSuchAlgorithmException, java.io.IOException { + public void testSSLSocketImmediatelyConnects() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust @@ -56,8 +77,7 @@ public class UnsafeCertTrustTest { /** * Test the endpoint identification of SSL socket is not set */ - public void testSSLSocketEndpointIdNotSet() - throws java.security.NoSuchAlgorithmException, java.io.IOException { + public void testSSLSocketEndpointIdNotSet() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket socket = (SSLSocket) socketFactory.createSocket(); @@ -67,8 +87,7 @@ public class UnsafeCertTrustTest { /** * Test the endpoint identification of SSL socket is set to null */ - public void testSSLSocketEndpointIdSetNull() - throws java.security.NoSuchAlgorithmException, java.io.IOException { + public void testSSLSocketEndpointIdSetNull() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket socket = (SSLSocket) socketFactory.createSocket(); @@ -81,8 +100,7 @@ public class UnsafeCertTrustTest { /** * Test the endpoint identification of SSL socket is set to empty */ - public void testSSLSocketEndpointIdSetEmpty() - throws java.security.NoSuchAlgorithmException, java.io.IOException { + public void testSSLSocketEndpointIdSetEmpty() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket socket = (SSLSocket) socketFactory.createSocket(); @@ -95,8 +113,7 @@ public class UnsafeCertTrustTest { /** * Test the endpoint identification of SSL socket is not set */ - public void testSSLSocketEndpointIdAfterConnecting() - throws java.security.NoSuchAlgorithmException, java.io.IOException { + public void testSSLSocketEndpointIdAfterConnecting() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust @@ -108,8 +125,7 @@ public class UnsafeCertTrustTest { /** * Test the endpoint identification of SSL socket is not set */ - public void testSSLSocketEndpointIdSafe() - throws java.security.NoSuchAlgorithmException, java.io.IOException { + public void testSSLSocketEndpointIdSafe() throws Exception { SSLContext sslContext = SSLContext.getInstance("TLS"); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); SSLSocket socket = (SSLSocket) socketFactory.createSocket(); @@ -122,7 +138,7 @@ public class UnsafeCertTrustTest { /** * Test the endpoint identification of regular socket is not set */ - public void testSocketEndpointIdNotSet() throws java.io.IOException { + public void testSocketEndpointIdNotSet() throws Exception { SocketFactory socketFactory = SocketFactory.getDefault(); Socket socket = socketFactory.createSocket("www.example.com", 80); // Safe } diff --git a/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql b/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql index 7abcbd0fd35..66a76175c65 100644 --- a/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql +++ b/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql @@ -12,7 +12,7 @@ class Conf extends TaintTracking::Configuration { override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation } override predicate isSanitizer(DataFlow::Node sanitizer) { - sanitizer instanceof SslConnectionWithSafeSslParameters + sanitizer instanceof SslUnsafeCertTrustSanitizer } }