diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll index 22ab9bbcbc9..d54653e3046 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll @@ -5,10 +5,12 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.InsecureTrustManager /** + * DEPRECATED: Use `InsecureTrustManagerFlow` instead. + * * A configuration to model the flow of an insecure `TrustManager` * to the initialization of an SSL context. */ -class InsecureTrustManagerConfiguration extends DataFlow::Configuration { +deprecated class InsecureTrustManagerConfiguration extends DataFlow::Configuration { InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" } override predicate isSource(DataFlow::Node source) { @@ -23,3 +25,21 @@ class InsecureTrustManagerConfiguration extends DataFlow::Configuration { c instanceof DataFlow::ArrayContent } } + +/** + * A configuration to model the flow of an insecure `TrustManager` + * to the initialization of an SSL context. + */ +private module InsecureTrustManagerConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof InsecureTrustManagerSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { + (isSink(node) or isAdditionalFlowStep(node, _)) and + node.getType() instanceof Array and + c instanceof DataFlow::ArrayContent + } +} + +module InsecureTrustManagerFlow = DataFlow::Global; diff --git a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql index 755f2b5a4a7..4904c08b195 100644 --- a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql +++ b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql @@ -13,10 +13,10 @@ import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.InsecureTrustManagerQuery -import DataFlow::PathGraph +import InsecureTrustManagerFlow::PathGraph -from DataFlow::PathNode source, DataFlow::PathNode sink -where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink) +from InsecureTrustManagerFlow::PathNode source, InsecureTrustManagerFlow::PathNode sink +where InsecureTrustManagerFlow::flowPath(source, sink) select sink, source, sink, "This uses $@, which is defined in $@ and trusts any certificate.", source, "TrustManager", source.getNode().asExpr().(ClassInstanceExpr).getConstructedType() as type, type.nestedName() diff --git a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql index fb00ff33b34..0f068d04679 100644 --- a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql +++ b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql @@ -1,13 +1,18 @@ import java import semmle.code.java.security.InsecureTrustManagerQuery -import TestUtilities.InlineFlowTest +import TestUtilities.InlineExpectationsTest -class EnableLegacy extends EnableLegacyConfiguration { - EnableLegacy() { exists(this) } -} +class InsecureTrustManagerTest extends InlineExpectationsTest { + InsecureTrustManagerTest() { this = "InsecureTrustManagerTest" } -class InsecureTrustManagerTest extends InlineFlowTest { - override DataFlow::Configuration getValueFlowConfig() { - result = any(InsecureTrustManagerConfiguration c) + override string getARelevantTag() { result = "hasValueFlow" } + + override predicate hasActualResult(Location location, string element, string tag, string value) { + tag = "hasValueFlow" and + exists(DataFlow::Node sink | InsecureTrustManagerFlow::flowTo(sink) | + sink.getLocation() = location and + element = sink.toString() and + value = "" + ) } }