hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7136 from atorralba/atorralba/promote-insecure-trustmanager

Browse Source 
Java: Promote Insecure TrustManager from experimental
This commit is contained in:
Tony Torralba
2022-01-24 14:05:14 +01:00
committed by GitHub
parent b2dc02b831 967308fbfd
commit b59fd4070f
11 changed files with 167 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
java/ql/src/experimental/Security/CWE/CWE-295/InsecureTrustManager.ql → java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll
View File

@@ -1,28 +1,52 @@
/**
* @name `TrustManager` that accepts all certificates
* @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
* @kind path-problem
* @problem.severity error
* @precision high
* @id java/insecure-trustmanager
* @tags security
* external/cwe/cwe-295
*/
/** Provides classes and predicates to reason about insecure `TrustManager`s. */
import java
import semmle.code.java.controlflow.Guards
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.Encryption
import semmle.code.java.security.SecurityFlag
import DataFlow::PathGraph
private import semmle.code.java.controlflow.Guards
private import semmle.code.java.security.Encryption
private import semmle.code.java.security.SecurityFlag
/** The creation of an insecure `TrustManager`. */
abstract class InsecureTrustManagerSource extends DataFlow::Node { }
private class DefaultInsecureTrustManagerSource extends InsecureTrustManagerSource {
DefaultInsecureTrustManagerSource() {
this.asExpr().(ClassInstanceExpr).getConstructedType() instanceof InsecureX509TrustManager
}
}
/**
* The use of a `TrustManager` in an SSL context.
* Intentionally insecure connections are not considered sinks.
*/
abstract class InsecureTrustManagerSink extends DataFlow::Node {
InsecureTrustManagerSink() { not isGuardedByInsecureFlag(this) }
}
private class DefaultInsecureTrustManagerSink extends InsecureTrustManagerSink {
DefaultInsecureTrustManagerSink() {
exists(MethodAccess ma, Method m |
m.hasName("init") and
m.getDeclaringType() instanceof SSLContext and
ma.getMethod() = m
|
ma.getArgument(1) = this.asExpr()
)
}
}
/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
private predicate isGuardedByInsecureFlag(DataFlow::Node node) {
exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
g = getASecurityFeatureFlagGuard() or g = getAnInsecureTrustManagerFlagGuard()
)
}
/**
* An insecure `X509TrustManager`.
* An `X509TrustManager` is considered insecure if it never throws a `CertificateException`
* and therefore implicitly trusts any certificate as valid.
*/
class InsecureX509TrustManager extends RefType {
private class InsecureX509TrustManager extends RefType {
InsecureX509TrustManager() {
this.getASupertype*() instanceof X509TrustManager and
exists(Method m |
@@ -59,27 +83,6 @@ private predicate mayThrowCertificateException(Method m) {
)
}
/**
* A configuration to model the flow of an `InsecureX509TrustManager` to an `SSLContext.init` call.
*/
class InsecureTrustManagerConfiguration extends TaintTracking::Configuration {
InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
override predicate isSource(DataFlow::Node source) {
source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof InsecureX509TrustManager
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma, Method m |
m.hasName("init") and
m.getDeclaringType() instanceof SSLContext and
ma.getMethod() = m
|
ma.getArgument(1) = sink.asExpr()
)
}
}
/**
* Flags suggesting a deliberately insecure `TrustManager` usage.
*/
@@ -98,20 +101,3 @@ private class InsecureTrustManagerFlag extends FlagKind {
private Guard getAnInsecureTrustManagerFlagGuard() {
result = any(InsecureTrustManagerFlag flag).getAFlag().asExpr()
}
/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
private predicate isNodeGuardedByFlag(DataFlow::Node node) {
exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
g = getASecurityFeatureFlagGuard() or g = getAnInsecureTrustManagerFlagGuard()
)
}
from
DataFlow::PathNode source, DataFlow::PathNode sink, InsecureTrustManagerConfiguration cfg,
RefType trustManager
where
cfg.hasFlowPath(source, sink) and
not isNodeGuardedByFlag(sink.getNode()) and
trustManager = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
select sink, source, sink, "$@ that is defined $@ and trusts any certificate, is used here.",
source, "This trustmanager", trustManager, "here"

25
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll Normal file
View File

@@ -0,0 +1,25 @@
/** Provides taint tracking configurations to be used in Trust Manager queries. */
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.InsecureTrustManager
/**
* A configuration to model the flow of an insecure `TrustManager`
* to the initialization of an SSL context.
*/
class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
override predicate isSource(DataFlow::Node source) {
source instanceof InsecureTrustManagerSource
}
override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
(this.isSink(node) or this.isAdditionalFlowStep(node, _)) and
node.getType() instanceof Array and
c instanceof DataFlow::ArrayContent
}
}

0
java/ql/src/experimental/Security/CWE/CWE-295/InsecureTrustManager.java → java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.java
View File

6
java/ql/src/experimental/Security/CWE/CWE-295/InsecureTrustManager.qhelp → java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.qhelp
View File

@@ -4,8 +4,8 @@
<qhelp>
<overview>
<p>
If the <code>checkServerTrusted</code> method of a <code>TrustManager</code> never throws a <code>CertificateException</code> it trusts every certificate.
This allows an attacker to perform a machine-in-the-middle attack against the application therefore breaking any security Transport Layer Security (TLS) gives.
If the <code>checkServerTrusted</code> method of a <code>TrustManager</code> never throws a <code>CertificateException</code>, it trusts every certificate.
This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.
</p>
<p>
@@ -42,6 +42,6 @@ is loaded into a <code>KeyStore</code>. This explicitly defines the certificate
</example>
<references>
<li>Android Develoers:<a href="https://developer.android.com/training/articles/security-ssl">Security with HTTPS and SSL</a>.</li>
<li>Android Developers: <a href="https://developer.android.com/training/articles/security-ssl">Security with HTTPS and SSL</a>.</li>
</references>
</qhelp>

21
java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql Normal file
View File

@@ -0,0 +1,21 @@
/**
* @name `TrustManager` that accepts all certificates
* @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
* @kind path-problem
* @problem.severity error
* @security-severity 7.5
* @precision high
* @id java/insecure-trustmanager
* @tags security
* external/cwe/cwe-295
*/
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.security.InsecureTrustManagerQuery
import DataFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink
where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink)
select sink, source, sink, "This $@, which is defined $@ and trusts any certificate, is used here.",
source, "TrustManager", source.getNode().asExpr().(ClassInstanceExpr).getConstructedType(), "here"

4
java/ql/src/change-notes/2021-11-15-insecure-trustamanger-query.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: newQuery
---
* The query "`TrustManager` that accepts all certificates" (`java/insecure-trustmanager`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @intrigus-lgtm](https://github.com/github/codeql/pull/4879).

109
java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected
View File

@@ -1,109 +0,0 @@
edges
| InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager |
| InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:131:23:131:34 | trustManager |
| InsecureTrustManagerTest.java:130:55:130:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager |
| InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:173:23:173:34 | trustManager |
| InsecureTrustManagerTest.java:172:55:172:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:194:23:194:34 | trustManager |
| InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:215:23:215:34 | trustManager |
| InsecureTrustManagerTest.java:214:55:214:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:236:23:236:34 | trustManager |
| InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:258:23:258:34 | trustManager |
| InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:281:23:281:34 | trustManager |
| InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:306:22:306:33 | trustManager |
| InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:320:22:320:33 | trustManager |
| InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:334:22:334:33 | trustManager |
| InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:348:22:348:33 | trustManager |
| InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:362:22:362:33 | trustManager |
| InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:376:22:376:33 | trustManager |
| InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:391:22:391:33 | trustManager |
| InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:406:22:406:33 | trustManager |
| InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:415:22:415:33 | trustManager |
| InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager |
nodes
| InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:122:22:122:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:130:55:130:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:131:23:131:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:152:23:152:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:172:55:172:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:173:23:173:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:194:23:194:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:214:55:214:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:215:23:215:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:236:23:236:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:258:23:258:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:281:23:281:34 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:306:22:306:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:320:22:320:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:334:22:334:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:348:22:348:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:362:22:362:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:376:22:376:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:391:22:391:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:406:22:406:33 | trustManager | semmle.label | trustManager |
| InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
| InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
| InsecureTrustManagerTest.java:415:22:415:33 | trustManager | semmle.label | trustManager |
subpaths
#select
| InsecureTrustManagerTest.java:122:22:122:33 | trustManager | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:152:23:152:34 | trustManager | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:194:23:194:34 | trustManager | InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:194:23:194:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:236:23:236:34 | trustManager | InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:236:23:236:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:258:23:258:34 | trustManager | InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:258:23:258:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:281:23:281:34 | trustManager | InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:281:23:281:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:306:22:306:33 | trustManager | InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:306:22:306:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:320:22:320:33 | trustManager | InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:320:22:320:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:334:22:334:33 | trustManager | InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:334:22:334:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:348:22:348:33 | trustManager | InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:348:22:348:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:362:22:362:33 | trustManager | InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:362:22:362:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:376:22:376:33 | trustManager | InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:376:22:376:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:391:22:391:33 | trustManager | InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:391:22:391:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:406:22:406:33 | trustManager | InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:406:22:406:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
| InsecureTrustManagerTest.java:415:22:415:33 | trustManager | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:415:22:415:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |

1
java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.qlref
View File

@@ -1 +0,0 @@
experimental/Security/CWE/CWE-295/InsecureTrustManager.ql

0
java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.expected Normal file
View File

184
java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java → java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java
View File

@@ -39,14 +39,12 @@ public class InsecureTrustManagerTest {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
// BAD: Does not verify the certificate chain, allowing any certificate.
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {}
}
public static void main(String[] args) throws Exception {
@@ -88,8 +86,9 @@ public class InsecureTrustManagerTest {
}
private static void directSecureTrustManagerCall() throws NoSuchAlgorithmException, KeyStoreException, IOException,
CertificateException, FileNotFoundException, KeyManagementException, MalformedURLException {
private static void directSecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException,
FileNotFoundException, KeyManagementException, MalformedURLException {
SSLContext context = SSLContext.getInstance("TLS");
File certificateFile = new File("path/to/self-signed-certificate");
// Create a `KeyStore` with default type
@@ -98,49 +97,46 @@ public class InsecureTrustManagerTest {
keyStore.load(null, null);
X509Certificate generatedCertificate;
try (InputStream cert = new FileInputStream(certificateFile)) {
generatedCertificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(cert);
generatedCertificate = (X509Certificate) CertificateFactory.getInstance("X509")
.generateCertificate(cert);
}
// Add the self-signed certificate to the key store
keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);
// Get default `TrustManagerFactory`
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// Use it with our modified key store that trusts our self-signed certificate
tmf.init(keyStore);
TrustManager[] trustManagers = tmf.getTrustManagers();
context.init(null, trustManagers, null); // GOOD, we are not using a custom `TrustManager` but instead have
// added the self-signed certificate we want to trust to the key
// store. Note, the `trustManagers` will **only** trust this one
// certificate.
// we are not using a custom `TrustManager` but instead have added the self-signed
// certificate we want to trust to the key store. Note, the `trustManagers` will **only**
// trust this one certificate.
context.init(null, trustManagers, null); // Safe
URL url = new URL("https://self-signed.badssl.com/");
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(context.getSocketFactory());
}
private static void directInsecureTrustManagerCall() throws NoSuchAlgorithmException, KeyManagementException {
private static void directInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
private static void namedVariableFlagDirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (TRUST_ALL) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // Safe: guarded by feature flag
}
}
private static void namedVariableFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (TRUST_ALL) {
disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
// method that install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
disableTrustManager(); // Safe: guarded by feature flag
}
}
@@ -148,20 +144,15 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
}
private static void noNamedVariableFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
disableTrustManager(); // Alert is in the method
}
}
@@ -169,20 +160,15 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // Safe: guarded by feature flag
}
}
private static void stringLiteralFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
// method that install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
disableTrustManager(); // Safe: guarded by feature flag
}
}
@@ -190,20 +176,15 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
}
private static void noStringLiteralFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
disableTrustManager(); // Alert is in the method
}
}
@@ -211,20 +192,15 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
if (isDisableTrust()) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // Safe: guarded by feature flag
}
}
private static void methodAccessFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (isDisableTrust()) {
disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
// method that install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. BUT it is guarded
// by a feature flag.
disableTrustManager(); // Safe: guarded by feature flag
}
}
@@ -232,20 +208,15 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
if (is42TheAnswerForEverything()) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
}
private static void noMethodAccessFlagIndirectInsecureTrustManagerCall()
throws NoSuchAlgorithmException, KeyManagementException {
if (is42TheAnswerForEverything()) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
disableTrustManager(); // Alert is in the method
}
}
@@ -254,10 +225,8 @@ public class InsecureTrustManagerTest {
String schemaFromHttpRequest = "HTTPS";
if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
}
@@ -265,10 +234,7 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
String schemaFromHttpRequest = "HTTPS";
if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
disableTrustManager(); // Alert is in the method
}
}
@@ -277,10 +243,8 @@ public class InsecureTrustManagerTest {
String schemaFromHttpRequest = "HTTPS";
if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
}
@@ -288,10 +252,7 @@ public class InsecureTrustManagerTest {
throws NoSuchAlgorithmException, KeyManagementException {
String schemaFromHttpRequest = "HTTPS";
if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
// install a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag.
disableTrustManager(); // Alert is in the method
}
}
@@ -302,10 +263,8 @@ public class InsecureTrustManagerTest {
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -316,10 +275,8 @@ public class InsecureTrustManagerTest {
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -330,10 +287,8 @@ public class InsecureTrustManagerTest {
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -344,10 +299,8 @@ public class InsecureTrustManagerTest {
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -358,10 +311,8 @@ public class InsecureTrustManagerTest {
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -372,11 +323,8 @@ public class InsecureTrustManagerTest {
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
@@ -387,10 +335,8 @@ public class InsecureTrustManagerTest {
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
@@ -402,19 +348,15 @@ public class InsecureTrustManagerTest {
}
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
// chain, allowing any certificate. It is NOT guarded
// by a feature flag, because it is outside the if and it is NOT a valid flag.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
private static void disableTrustManager() throws NoSuchAlgorithmException, KeyManagementException {
private static void disableTrustManager()
throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the
// certificate
// chain, allowing any certificate. The method name suggests that this may be
// intentional, but we flag it anyway.
TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
context.init(null, trustManager, null); // $ hasValueFlow
}
}

9
java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql Normal file
View File

@@ -0,0 +1,9 @@
import java
import semmle.code.java.security.InsecureTrustManagerQuery
import TestUtilities.InlineFlowTest
class InsecureTrustManagerTest extends InlineFlowTest {
override DataFlow::Configuration getValueFlowConfig() {
result = any(InsecureTrustManagerConfiguration c)
}
}