hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Change InsecureTrustManagerConfiguration to DataFlow

Browse Source
This commit is contained in:
Tony Torralba
2022-01-20 10:22:26 +01:00
parent c105d71952
commit 967308fbfd
3 changed files with 23 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll
View File

@@ -2,14 +2,13 @@
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.Encryption
import semmle.code.java.security.InsecureTrustManager
/**
* A configuration to model the flow of an insecure `TrustManager`
* to the initialization of an SSL context.
*/
class InsecureTrustManagerConfiguration extends TaintTracking::Configuration {
class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
override predicate isSource(DataFlow::Node source) {
@@ -17,4 +16,10 @@ class InsecureTrustManagerConfiguration extends TaintTracking::Configuration {
}
override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
(this.isSink(node) or this.isAdditionalFlowStep(node, _)) and
node.getType() instanceof Array and
c instanceof DataFlow::ArrayContent
}
}

30
java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java
View File

@@ -121,7 +121,7 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
private static void namedVariableFlagDirectInsecureTrustManagerCall()
@@ -145,7 +145,7 @@ public class InsecureTrustManagerTest {
if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
}
@@ -177,7 +177,7 @@ public class InsecureTrustManagerTest {
if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
}
@@ -209,7 +209,7 @@ public class InsecureTrustManagerTest {
if (is42TheAnswerForEverything()) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
}
@@ -226,7 +226,7 @@ public class InsecureTrustManagerTest {
if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
}
@@ -244,7 +244,7 @@ public class InsecureTrustManagerTest {
if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
}
@@ -264,7 +264,7 @@ public class InsecureTrustManagerTest {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -276,7 +276,7 @@ public class InsecureTrustManagerTest {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -288,7 +288,7 @@ public class InsecureTrustManagerTest {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -300,7 +300,7 @@ public class InsecureTrustManagerTest {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -312,7 +312,7 @@ public class InsecureTrustManagerTest {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -324,7 +324,7 @@ public class InsecureTrustManagerTest {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
@@ -336,7 +336,7 @@ public class InsecureTrustManagerTest {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -349,7 +349,7 @@ public class InsecureTrustManagerTest {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -357,6 +357,6 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasTaintFlow
context.init(null, trustManager, null); // $ hasValueFlow
}
}

4
java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql
View File

@@ -3,9 +3,7 @@ import semmle.code.java.security.InsecureTrustManagerQuery
import TestUtilities.InlineFlowTest
class InsecureTrustManagerTest extends InlineFlowTest {
override DataFlow::Configuration getValueFlowConfig() { none() }
override TaintTracking::Configuration getTaintFlowConfig() {
override DataFlow::Configuration getValueFlowConfig() {
result = any(InsecureTrustManagerConfiguration c)
}
}