Consider setSslContextFactory and fix tests

java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll

@@ -121,12 +121,12 @@ private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
 }
 
 /**
- * A call to the method `useSslProtocol` on an instance of `com.rabbitmq.client.ConnectionFactory`
- * that doesn't set `enableHostnameVerification`.
+ * A call to a method that enables SSL (`useSslProtocol` or `setSslContextFactory`)
+ * on an instance of `com.rabbitmq.client.ConnectionFactory` that doesn't set `enableHostnameVerification`.
  */
 class RabbitMQEnableHostnameVerificationNotSet extends MethodAccess {
   RabbitMQEnableHostnameVerificationNotSet() {
-    this.getMethod().hasName("useSslProtocol") and
+    this.getMethod().hasName(["useSslProtocol", "setSslContextFactory"]) and
     this.getMethod().getDeclaringType() instanceof RabbitMQConnectionFactory and
     exists(Variable v |
       v.getType() instanceof RabbitMQConnectionFactory and

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java

@@ -1,5 +1,6 @@
 import java.net.Socket;
 import java.nio.ByteBuffer;
+import java.security.NoSuchAlgorithmException;
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -7,6 +8,7 @@ import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
 import com.rabbitmq.client.ConnectionFactory;
+import com.rabbitmq.client.SslContextFactory;
 
 public class UnsafeCertTrustTest {
 
@@ -146,13 +148,39 @@ public class UnsafeCertTrustTest {
 	}
 
 	public void testRabbitMQFactoryEnableHostnameVerificationNotSet() throws Exception {
-		ConnectionFactory connectionFactory = new ConnectionFactory();
-		connectionFactory.useSslProtocol(); // $hasUnsafeCertTrust
+		{
+			ConnectionFactory connectionFactory = new ConnectionFactory();
+			connectionFactory.useSslProtocol(SSLContext.getDefault()); // $hasUnsafeCertTrust
+		}
+		{
+			ConnectionFactory connectionFactory = new ConnectionFactory();
+			connectionFactory.setSslContextFactory(new TestSslContextFactory()); // $hasUnsafeCertTrust
+		}
 	}
 
 	public void testRabbitMQFactorySafe() throws Exception {
-		ConnectionFactory connectionFactory = new ConnectionFactory();
-		connectionFactory.useSslProtocol(); // Safe
-		connectionFactory.enableHostnameVerification();
+		{
+			ConnectionFactory connectionFactory = new ConnectionFactory();
+			connectionFactory.useSslProtocol(SSLContext.getDefault()); // Safe
+			connectionFactory.enableHostnameVerification();
+		}
+		{
+			ConnectionFactory connectionFactory = new ConnectionFactory();
+			connectionFactory.setSslContextFactory(new TestSslContextFactory()); // Safe
+			connectionFactory.enableHostnameVerification();
+		}
+	}
+
+	static class TestSslContextFactory implements SslContextFactory {
+
+		@Override
+		public SSLContext create(String name) {
+			try {
+				return SSLContext.getDefault();
+			} catch (NoSuchAlgorithmException e) {
+				return null;
+			}
+		}
+
 	}
 }

java/ql/test/stubs/amqp-client-5.12.0/com/rabbitmq/client/ConnectionFactory.java

@@ -15,6 +15,7 @@
 
 package com.rabbitmq.client;
 
+import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import java.io.IOException;
@@ -112,6 +113,12 @@ public class ConnectionFactory implements Cloneable {
 
   public void setClientProperties(Map<String, Object> clientProperties) {}
 
+  public SocketFactory getSocketFactory() {
+    return null;
+  }
+
+  public void setSocketFactory(SocketFactory factory) {}
+
   public void setSharedExecutor(ExecutorService executor) {}
 
   public void setShutdownExecutor(ExecutorService executor) {}
@@ -204,6 +211,8 @@ public class ConnectionFactory implements Cloneable {
     return 0;
   }
 
+  public void setSslContextFactory(SslContextFactory sslContextFactory) {}
+
   public void setChannelShouldCheckRpcResponseType(boolean channelShouldCheckRpcResponseType) {}
 
   public boolean isChannelShouldCheckRpcResponseType() {

java/ql/test/stubs/amqp-client-5.12.0/com/rabbitmq/client/SslContextFactory.java

@@ -0,0 +1,23 @@
+// Copyright (c) 2017-2020 VMware, Inc. or its affiliates. All rights reserved.
+//
+// This software, the RabbitMQ Java client library, is triple-licensed under the
+// Mozilla Public License 2.0 ("MPL"), the GNU General Public License version 2
+// ("GPL") and the Apache License version 2 ("ASL"). For the MPL, please see
+// LICENSE-MPL-RabbitMQ. For the GPL, please see LICENSE-GPL2. For the ASL,
+// please see LICENSE-APACHE2.
+//
+// This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
+// either express or implied. See the LICENSE file for specific language governing
+// rights and limitations of this software.
+//
+// If you have any questions regarding licensing, please contact us at
+// info@rabbitmq.com.
+
+package com.rabbitmq.client;
+
+import javax.net.ssl.SSLContext;
+
+public interface SslContextFactory {
+    SSLContext create(String name);
+
+}

java/ql/test/stubs/http-client-3.10.0/com/rabbitmq/client/ConnectionFactory.java

@@ -0,0 +1,410 @@
+// Copyright (c) 2007-2020 VMware, Inc. or its affiliates.  All rights reserved.
+//
+// This software, the RabbitMQ Java client library, is triple-licensed under the
+// Mozilla Public License 2.0 ("MPL"), the GNU General Public License version 2
+// ("GPL") and the Apache License version 2 ("ASL"). For the MPL, please see
+// LICENSE-MPL-RabbitMQ. For the GPL, please see LICENSE-GPL2.  For the ASL,
+// please see LICENSE-APACHE2.
+//
+// This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
+// either express or implied. See the LICENSE file for specific language governing
+// rights and limitations of this software.
+//
+// If you have any questions regarding licensing, please contact us at
+// info@rabbitmq.com.
+
+package com.rabbitmq.client;
+import com.rabbitmq.client.impl.*;
+import com.rabbitmq.client.impl.nio.NioParams;
+import com.rabbitmq.client.impl.recovery.RetryHandler;
+import com.rabbitmq.client.impl.recovery.TopologyRecoveryFilter;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.util.*;
+import java.util.concurrent.*;
+import java.util.function.Predicate;
+import static java.util.concurrent.TimeUnit.MINUTES;
+
+public class ConnectionFactory implements Cloneable {
+    public static final int    DEFAULT_CHANNEL_RPC_TIMEOUT = (int) MINUTES.toMillis(10);
+
+    public String getHost() {
+      return null;
+    }
+
+    public void setHost(String host) {
+    }
+
+    public static int portOrDefault(int port, boolean ssl) {
+      return 0;
+    }
+
+    public int getPort() {
+      return 0;
+    }
+
+    public void setPort(int port) {
+    }
+
+    public String getUsername() {
+      return null;
+    }
+
+    public void setUsername(String username) {
+    }
+
+    public String getPassword() {
+      return null;
+    }
+
+    public void setPassword(String password) {
+    }
+
+    public void setCredentialsProvider(CredentialsProvider credentialsProvider) {
+    }
+
+    public String getVirtualHost() {
+      return null;
+    }
+
+    public void setVirtualHost(String virtualHost) {
+    }
+
+    public void setUri(URI uri)
+        throws URISyntaxException, NoSuchAlgorithmException, KeyManagementException
+    {
+    }
+
+    public void setUri(String uriString)
+        throws URISyntaxException, NoSuchAlgorithmException, KeyManagementException
+    {
+    }
+
+    public int getRequestedChannelMax() {
+      return 0;
+    }
+
+    public void setRequestedChannelMax(int requestedChannelMax) {
+    }
+
+    public int getRequestedFrameMax() {
+      return 0;
+    }
+
+    public void setRequestedFrameMax(int requestedFrameMax) {
+    }
+
+    public int getRequestedHeartbeat() {
+      return 0;
+    }
+
+    public void setConnectionTimeout(int timeout) {
+    }
+
+    public int getConnectionTimeout() {
+      return 0;
+    }
+
+    public int getHandshakeTimeout() {
+      return 0;
+    }
+
+    public void setHandshakeTimeout(int timeout) {
+    }
+
+    public void setShutdownTimeout(int shutdownTimeout) {
+    }
+
+    public int getShutdownTimeout() {
+      return 0;
+    }
+
+    public void setRequestedHeartbeat(int requestedHeartbeat) {
+    }
+
+    public Map<String, Object> getClientProperties() {
+      return null;
+    }
+
+    public void setClientProperties(Map<String, Object> clientProperties) {
+    }
+
+    public SaslConfig getSaslConfig() {
+      return null;
+    }
+
+    public void setSaslConfig(SaslConfig saslConfig) {
+    }
+
+    public SocketFactory getSocketFactory() {
+      return null;
+    }
+
+    public void setSocketFactory(SocketFactory factory) {
+    }
+
+    public SocketConfigurator getSocketConfigurator() {
+      return null;
+    }
+
+    public void setSocketConfigurator(SocketConfigurator socketConfigurator) {
+    }
+
+    public void setSharedExecutor(ExecutorService executor) {
+    }
+
+    public void setShutdownExecutor(ExecutorService executor) {
+    }
+
+    public void setHeartbeatExecutor(ScheduledExecutorService executor) {
+    }
+
+    public ThreadFactory getThreadFactory() {
+      return null;
+    }
+
+    public void setThreadFactory(ThreadFactory threadFactory) {
+    }
+
+    public ExceptionHandler getExceptionHandler() {
+      return null;
+    }
+
+    public void setExceptionHandler(ExceptionHandler exceptionHandler) {
+    }
+
+    public boolean isSSL(){
+      return false;
+    }
+
+    public void useSslProtocol()
+        throws NoSuchAlgorithmException, KeyManagementException
+    {
+    }
+
+    public void useSslProtocol(String protocol)
+        throws NoSuchAlgorithmException, KeyManagementException
+    {
+    }
+
+    public void useSslProtocol(String protocol, TrustManager trustManager)
+        throws NoSuchAlgorithmException, KeyManagementException
+    {
+    }
+
+    public void useSslProtocol(SSLContext context) {
+    }
+
+    public void enableHostnameVerification() {
+    }
+
+    public static String computeDefaultTlsProtocol(String[] supportedProtocols) {
+      return null;
+    }
+
+    public boolean isAutomaticRecoveryEnabled() {
+      return false;
+    }
+
+    public void setAutomaticRecoveryEnabled(boolean automaticRecovery) {
+    }
+
+    public boolean isTopologyRecoveryEnabled() {
+      return false;
+    }
+
+    public void setTopologyRecoveryEnabled(boolean topologyRecovery) {
+    }
+
+    public ExecutorService getTopologyRecoveryExecutor() {
+      return null;
+    }
+
+    public void setTopologyRecoveryExecutor(final ExecutorService topologyRecoveryExecutor) {
+    }
+
+    public void setMetricsCollector(MetricsCollector metricsCollector) {
+    }
+
+    public MetricsCollector getMetricsCollector() {
+      return null;
+    }
+
+    public void setCredentialsRefreshService(CredentialsRefreshService credentialsRefreshService) {
+    }
+
+    public Connection newConnection(Address[] addrs) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(AddressResolver addressResolver) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(Address[] addrs, String clientProvidedName) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(List<Address> addrs) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(List<Address> addrs, String clientProvidedName) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(ExecutorService executor, Address[] addrs) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(ExecutorService executor, Address[] addrs, String clientProvidedName) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(ExecutorService executor, List<Address> addrs) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(ExecutorService executor, AddressResolver addressResolver) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(ExecutorService executor, List<Address> addrs, String clientProvidedName)
+            throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(ExecutorService executor, AddressResolver addressResolver, String clientProvidedName)
+        throws IOException, TimeoutException {
+      return null;
+    }
+
+    public ConnectionParams params(ExecutorService consumerWorkServiceExecutor) {
+      return null;
+    }
+
+    public Connection newConnection() throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(String connectionName) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(ExecutorService executor) throws IOException, TimeoutException {
+      return null;
+    }
+
+    public Connection newConnection(ExecutorService executor, String connectionName) throws IOException, TimeoutException {
+      return null;
+    }
+
+    @Override public ConnectionFactory clone(){
+    @Override public ConnectionFactory clone(){
+      return null;
+    }
+
+    public ConnectionFactory load(String propertyFileLocation) throws IOException {
+      return null;
+    }
+
+    public ConnectionFactory load(String propertyFileLocation, String prefix) throws IOException {
+      return null;
+    }
+
+    public ConnectionFactory load(Properties properties) {
+      return null;
+    }
+
+    public ConnectionFactory load(Properties properties, String prefix) {
+      return null;
+    }
+
+    public ConnectionFactory load(Map<String, String> properties) {
+      return null;
+    }
+
+    public ConnectionFactory load(Map<String, String> properties, String prefix) {
+      return null;
+    }
+
+    public long getNetworkRecoveryInterval() {
+      return 0;
+    }
+
+    public void setNetworkRecoveryInterval(int networkRecoveryInterval) {
+    }
+
+    public void setNetworkRecoveryInterval(long networkRecoveryInterval) {
+    }
+
+    public RecoveryDelayHandler getRecoveryDelayHandler() {
+      return null;
+    }
+
+    public void setRecoveryDelayHandler(final RecoveryDelayHandler recoveryDelayHandler) {
+    }
+
+    public void setNioParams(NioParams nioParams) {
+    }
+
+    public NioParams getNioParams() {
+      return null;
+    }
+
+    public void useNio() {
+    }
+
+    public void useBlockingIo() {
+    }
+
+    public void setChannelRpcTimeout(int channelRpcTimeout) {
+    }
+
+    public int getChannelRpcTimeout() {
+      return 0;
+    }
+
+    public void setSslContextFactory(SslContextFactory sslContextFactory) {
+    }
+
+    public void setChannelShouldCheckRpcResponseType(boolean channelShouldCheckRpcResponseType) {
+    }
+
+    public boolean isChannelShouldCheckRpcResponseType() {
+      return false;
+    }
+
+    public void setWorkPoolTimeout(int workPoolTimeout) {
+    }
+
+    public int getWorkPoolTimeout() {
+      return 0;
+    }
+
+    public void setErrorOnWriteListener(ErrorOnWriteListener errorOnWriteListener) {
+    }
+
+    public void setTopologyRecoveryFilter(TopologyRecoveryFilter topologyRecoveryFilter) {
+    }
+
+    public void setConnectionRecoveryTriggeringCondition(Predicate<ShutdownSignalException> connectionRecoveryTriggeringCondition) {
+    }
+
+    public void setTopologyRecoveryRetryHandler(RetryHandler topologyRecoveryRetryHandler) {
+    }
+
+    public void setTrafficListener(TrafficListener trafficListener) {
+    }
+
+    public static int ensureUnsignedShort(int value) {
+      return 0;
+    }
+
+}