Handle a specific pass-by-reference flow issue

2026-04-30 03:05:15 +02:00 · 2021-06-23 15:43:48 +02:00
parent 4508945f85
commit 64518bf91a
2 changed files with 15 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll
+++ b/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll
@@ -97,7 +97,7 @@ private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
  override predicate isSource(DataFlow::Node source) {
    exists(MethodAccess ma |
      ma instanceof SafeSetEndpointIdentificationAlgorithm and
-      ma.getQualifier() = source.asExpr()
+      DataFlow::getInstanceArgument(ma) = source.(DataFlow::PostUpdateNode).getPreUpdateNode()
    )
  }

--- a/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java
+++ b/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java
@@ -102,6 +102,20 @@ public class UnsafeCertTrustTest {
 		socket.getOutputStream(); // Safe
 	}

+	public void testSSLSocketEndpointIdSafeWithModificationByReference() throws Exception {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
+		SSLParameters sslParameters = socket.getSSLParameters();
+		onSetSSLParameters(sslParameters);
+		socket.setSSLParameters(sslParameters);
+		socket.getOutputStream(); // Safe
+	}
+
+	private void onSetSSLParameters(SSLParameters sslParameters) {
+		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+	}
+
 	public void testSocketEndpointIdNotSet() throws Exception {
 		SocketFactory socketFactory = SocketFactory.getDefault();
 		Socket socket = socketFactory.createSocket("www.example.com", 80);