Java: Fix FP in UseSSL.

2026-04-27 01:35:13 +02:00 · 2018-12-04 17:44:05 +01:00
parent ca72c8ebfe
commit d3fcfb0957
4 changed files with 23 additions and 2 deletions
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
@@ -0,0 +1,14 @@
+import java.net.HttpURLConnection;
+import javax.net.ssl.HttpsURLConnection;
+import java.io.*;
+
+class Test {
+  public void m1(HttpURLConnection connection) {
+    InputStream input;
+    if (connection instanceof HttpsURLConnection) {
+      input = connection.getInputStream(); // OK
+    } else {
+      input = connection.getInputStream(); // BAD
+    }
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
@@ -0,0 +1 @@
+| Test.java:11:15:11:41 | getInputStream(...) | Stream using vulnerable non-SSL connection. |
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.qlref
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-319/UseSSL.ql
				`@@ -0,0 +1 @@`
				`\| Test.java:11:15:11:41 \| getInputStream(...) \| Stream using vulnerable non-SSL connection. \|`