Refactor InsecureTrustManager

2025-12-24 12:46:34 +01:00 · 2023-03-21 17:14:48 -04:00
parent 3b2eea2d44
commit dcd46c2236
3 changed files with 36 additions and 11 deletions
--- a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll
@@ -5,10 +5,12 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.InsecureTrustManager

 /**
+ * DEPRECATED: Use `InsecureTrustManagerFlow` instead.
+ *
 * A configuration to model the flow of an insecure `TrustManager`
 * to the initialization of an SSL context.
 */
-class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
+deprecated class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
  InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }

  override predicate isSource(DataFlow::Node source) {
@@ -23,3 +25,21 @@ class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
    c instanceof DataFlow::ArrayContent
  }
 }
+
+/**
+ * A configuration to model the flow of an insecure `TrustManager`
+ * to the initialization of an SSL context.
+ */
+private module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof InsecureTrustManagerSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    (isSink(node) or isAdditionalFlowStep(node, _)) and
+    node.getType() instanceof Array and
+    c instanceof DataFlow::ArrayContent
+  }
+}
+
+module InsecureTrustManagerFlow = DataFlow::Global<InsecureTrustManagerConfig>;
--- a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
+++ b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
@@ -13,10 +13,10 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.security.InsecureTrustManagerQuery
-import DataFlow::PathGraph
+import InsecureTrustManagerFlow::PathGraph

-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink)
+from InsecureTrustManagerFlow::PathNode source, InsecureTrustManagerFlow::PathNode sink
+where InsecureTrustManagerFlow::flowPath(source, sink)
 select sink, source, sink, "This uses $@, which is defined in $@ and trusts any certificate.",
  source, "TrustManager",
  source.getNode().asExpr().(ClassInstanceExpr).getConstructedType() as type, type.nestedName()
--- a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql
+++ b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql
@@ -1,13 +1,18 @@
 import java
 import semmle.code.java.security.InsecureTrustManagerQuery
-import TestUtilities.InlineFlowTest
+import TestUtilities.InlineExpectationsTest

-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
+class InsecureTrustManagerTest extends InlineExpectationsTest {
+  InsecureTrustManagerTest() { this = "InsecureTrustManagerTest" }

-class InsecureTrustManagerTest extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() {
-    result = any(InsecureTrustManagerConfiguration c)
+  override string getARelevantTag() { result = "hasValueFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node sink | InsecureTrustManagerFlow::flowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
  }
 }