mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
Use InlineExpectationsTest
This commit is contained in:
Tony Torralba
@@ -34,8 +34,9 @@ class SslConnectionCreation extends DataFlow::Node {
|
||||
// calls to SocketFactory.createSocket with parameters immediately create the connection
|
||||
exists(MethodAccess ma, Method m |
|
||||
ma.getMethod() = m and
|
||||
m instanceof CreateSocket and
|
||||
m.getNumberOfParameters() > 0
|
||||
m instanceof CreateSocketMethod and
|
||||
m.getNumberOfParameters() > 0 and
|
||||
isSslSocket(ma)
|
||||
|
|
||||
this.asExpr() = ma
|
||||
)
|
||||
@@ -55,6 +56,20 @@ class SslConnectionWithSafeSslParameters extends DataFlow::Node {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the return value of `createSocket` is cast to `SSLSocket`
|
||||
* or the qualifier of `createSocket` is an instance of `SSLSocketFactory`.
|
||||
*/
|
||||
private predicate isSslSocket(MethodAccess createSocket) {
|
||||
exists(Variable ssl, CastExpr ce |
|
||||
ce.getExpr() = createSocket and
|
||||
ce.getControlFlowNode().getASuccessor().(VariableAssign).getDestVar() = ssl and
|
||||
ssl.getType() instanceof SSLSocket
|
||||
)
|
||||
or
|
||||
createSocket.getQualifier().getType().(RefType).getASupertype*() instanceof SSLSocketFactory
|
||||
}
|
||||
|
||||
private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
|
||||
SafeSslParametersFlowConfig() { this = "SafeSslParametersFlowConfig" }
|
||||
|
||||
@@ -85,7 +100,7 @@ private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
|
||||
|
||||
/**
|
||||
* A call to the method `useSslProtocol` on an instance of `com.rabbitmq.client.ConnectionFactory`
|
||||
* that doesn't have `enableHostnameVerification` set.
|
||||
* that doesn't set `enableHostnameVerification`.
|
||||
*/
|
||||
class RabbitMQEnableHostnameVerificationNotSet extends MethodAccess {
|
||||
RabbitMQEnableHostnameVerificationNotSet() {
|
||||
|
||||
@@ -27,10 +27,10 @@ class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from Expr unsafeConfig
|
||||
from Expr unsafeTrust
|
||||
where
|
||||
unsafeConfig instanceof RabbitMQEnableHostnameVerificationNotSet or
|
||||
unsafeTrust instanceof RabbitMQEnableHostnameVerificationNotSet or
|
||||
exists(SslEndpointIdentificationFlowConfig config |
|
||||
config.hasFlowTo(DataFlow::exprNode(unsafeConfig))
|
||||
config.hasFlowTo(DataFlow::exprNode(unsafeTrust))
|
||||
)
|
||||
select unsafeConfig, "Unsafe configuration of trusted certificates"
|
||||
select unsafeTrust, "Unsafe configuration of trusted certificates"
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
| UnsafeCertTrustTest.java:26:25:26:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
|
||||
| UnsafeCertTrustTest.java:37:25:37:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
|
||||
| UnsafeCertTrustTest.java:46:34:46:83 | createSocket(...) | Unsafe configuration of trusted certificates |
|
||||
@@ -1 +0,0 @@
|
||||
Security/CWE/CWE-273/UnsafeCertTrust.ql
|
||||
@@ -19,7 +19,7 @@ public class UnsafeCertTrustTest {
|
||||
SSLParameters sslParameters = sslEngine.getSSLParameters();
|
||||
sslParameters.setEndpointIdentificationAlgorithm(null);
|
||||
sslEngine.setSSLParameters(sslParameters);
|
||||
sslEngine.getSession();
|
||||
sslEngine.getSession(); // $hasUnsafeCertTrust
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -28,7 +28,7 @@ public class UnsafeCertTrustTest {
|
||||
public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
SSLEngine sslEngine = sslContext.createSSLEngine();
|
||||
sslEngine.getSession();
|
||||
sslEngine.getSession(); // $hasUnsafeCertTrust
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -40,7 +40,7 @@ public class UnsafeCertTrustTest {
|
||||
SSLParameters sslParameters = sslEngine.getSSLParameters();
|
||||
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
|
||||
sslEngine.setSSLParameters(sslParameters);
|
||||
sslEngine.getSession();
|
||||
sslEngine.getSession(); // Safe
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -49,8 +49,8 @@ public class UnsafeCertTrustTest {
|
||||
public void testSSLSocketImmediatelyConnects()
|
||||
throws java.security.NoSuchAlgorithmException, java.io.IOException {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
|
||||
SocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -59,9 +59,9 @@ public class UnsafeCertTrustTest {
|
||||
public void testSSLSocketEndpointIdNotSet()
|
||||
throws java.security.NoSuchAlgorithmException, java.io.IOException {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
|
||||
socket.connect(new InetSocketAddress("www.example.com", 443));
|
||||
socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -70,12 +70,12 @@ public class UnsafeCertTrustTest {
|
||||
public void testSSLSocketEndpointIdSetNull()
|
||||
throws java.security.NoSuchAlgorithmException, java.io.IOException {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
|
||||
SSLParameters sslParameters = socket.getSSLParameters();
|
||||
sslParameters.setEndpointIdentificationAlgorithm(null);
|
||||
socket.setSSLParameters(sslParameters);
|
||||
socket.connect(new InetSocketAddress("www.example.com", 443));
|
||||
socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -84,12 +84,12 @@ public class UnsafeCertTrustTest {
|
||||
public void testSSLSocketEndpointIdSetEmpty()
|
||||
throws java.security.NoSuchAlgorithmException, java.io.IOException {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
|
||||
SSLParameters sslParameters = socket.getSSLParameters();
|
||||
sslParameters.setEndpointIdentificationAlgorithm("");
|
||||
socket.setSSLParameters(sslParameters);
|
||||
socket.connect(new InetSocketAddress("www.example.com", 443));
|
||||
socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -98,8 +98,8 @@ public class UnsafeCertTrustTest {
|
||||
public void testSSLSocketEndpointIdAfterConnecting()
|
||||
throws java.security.NoSuchAlgorithmException, java.io.IOException {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
|
||||
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust
|
||||
SSLParameters sslParameters = socket.getSSLParameters();
|
||||
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
|
||||
socket.setSSLParameters(sslParameters);
|
||||
@@ -111,12 +111,12 @@ public class UnsafeCertTrustTest {
|
||||
public void testSSLSocketEndpointIdSafe()
|
||||
throws java.security.NoSuchAlgorithmException, java.io.IOException {
|
||||
SSLContext sslContext = SSLContext.getInstance("TLS");
|
||||
final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
|
||||
SSLSocket socket = (SSLSocket) socketFactory.createSocket();
|
||||
SSLParameters sslParameters = socket.getSSLParameters();
|
||||
sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
|
||||
socket.setSSLParameters(sslParameters);
|
||||
socket.connect(new InetSocketAddress("www.example.com", 443));
|
||||
socket.connect(new InetSocketAddress("www.example.com", 443)); // Safe
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -124,7 +124,7 @@ public class UnsafeCertTrustTest {
|
||||
*/
|
||||
public void testSocketEndpointIdNotSet() throws java.io.IOException {
|
||||
SocketFactory socketFactory = SocketFactory.getDefault();
|
||||
Socket socket = socketFactory.createSocket("www.example.com", 80);
|
||||
Socket socket = socketFactory.createSocket("www.example.com", 80); // Safe
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -132,7 +132,7 @@ public class UnsafeCertTrustTest {
|
||||
*/
|
||||
public void testRabbitMQFactoryEnableHostnameVerificationNotSet() throws Exception {
|
||||
ConnectionFactory connectionFactory = new ConnectionFactory();
|
||||
connectionFactory.useSslProtocol();
|
||||
connectionFactory.useSslProtocol(); // $hasUnsafeCertTrust
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -140,7 +140,7 @@ public class UnsafeCertTrustTest {
|
||||
*/
|
||||
public void testRabbitMQFactorySafe() throws Exception {
|
||||
ConnectionFactory connectionFactory = new ConnectionFactory();
|
||||
connectionFactory.useSslProtocol();
|
||||
connectionFactory.useSslProtocol(); // Safe
|
||||
connectionFactory.enableHostnameVerification();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.security.UnsafeCertTrust
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class Conf extends TaintTracking::Configuration {
|
||||
Conf() { this = "qltest:cwe:unsafe-cert-trust" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) {
|
||||
sanitizer instanceof SslConnectionWithSafeSslParameters
|
||||
}
|
||||
}
|
||||
|
||||
class UnsafeCertTrustTest extends InlineExpectationsTest {
|
||||
UnsafeCertTrustTest() { this = "HasUnsafeCertTrustTest" }
|
||||
|
||||
override string getARelevantTag() { result = "hasUnsafeCertTrust" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasUnsafeCertTrust" and
|
||||
exists(Expr unsafeTrust |
|
||||
unsafeTrust instanceof X509TrustAllManagerInit
|
||||
or
|
||||
unsafeTrust instanceof RabbitMQEnableHostnameVerificationNotSet
|
||||
or
|
||||
exists(Conf config | config.hasFlowTo(DataFlow::exprNode(unsafeTrust)))
|
||||
|
|
||||
unsafeTrust.getLocation() = location and
|
||||
element = unsafeTrust.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user