Generalize sanitizer using local flow

atorralba · atorralba · commit 19d1a780cabf · 2022-01-19T16:42:05.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll b/java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll
@@ -55,9 +55,10 @@ abstract class SslUnsafeCertTrustSanitizer extends DataFlow::Node { }
  */
 private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {
   SslConnectionWithSafeSslParameters() {
-    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe |
+    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe, DataFlow::Node sanitizer |
       config.hasFlowTo(safe) and
-      this = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier())
+      sanitizer = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier()) and
+      DataFlow::localFlow(sanitizer, this)
     )
   }
 }
@@ -72,7 +73,7 @@ private class SslEngineServerMode extends SslUnsafeCertTrustSanitizer {
       m.getDeclaringType().getASupertype*() instanceof SSLEngine and
       ma.getMethod() = m and
       ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false and
-      this = DataFlow::exprNode(ma.getQualifier())
+      this.asExpr() = ma.getQualifier()
     )
   }
 }
diff --git a/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java b/java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java
@@ -116,6 +116,18 @@ private void onSetSSLParameters(SSLParameters sslParameters) {
 		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
 	}
 
+	public void testSSLSocketEndpointIdSafeWithConditionalSanitizer(boolean safe) throws Exception {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
+		if (safe) {
+			SSLParameters sslParameters = socket.getSSLParameters();
+			onSetSSLParameters(sslParameters);
+			socket.setSSLParameters(sslParameters);
+		}
+		socket.getOutputStream(); // Safe
+	}
+
 	public void testSocketEndpointIdNotSet() throws Exception {
 		SocketFactory socketFactory = SocketFactory.getDefault();
 		Socket socket = socketFactory.createSocket("www.example.com", 80);

Original file line number	Diff line number	Diff line change
`@@ -55,9 +55,10 @@ abstract class SslUnsafeCertTrustSanitizer extends DataFlow::Node { }`
`55`	`55`	`*/`
`56`	`56`	`private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {`
`57`	`57`	`SslConnectionWithSafeSslParameters() {`
`58`		`- exists(SafeSslParametersFlowConfig config, DataFlow::Node safe \|`
	`58`	`+ exists(SafeSslParametersFlowConfig config, DataFlow::Node safe, DataFlow::Node sanitizer \|`
`59`	`59`	`config.hasFlowTo(safe) and`
`60`		`- this = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier())`
	`60`	`+ sanitizer = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier()) and`
	`61`	`+ DataFlow::localFlow(sanitizer, this)`
`61`	`62`	`)`
`62`	`63`	`}`
`63`	`64`	`}`
`@@ -72,7 +73,7 @@ private class SslEngineServerMode extends SslUnsafeCertTrustSanitizer {`
`72`	`73`	`m.getDeclaringType().getASupertype*() instanceof SSLEngine and`
`73`	`74`	`ma.getMethod() = m and`
`74`	`75`	`ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false and`
`75`		`- this = DataFlow::exprNode(ma.getQualifier())`
	`76`	`+ this.asExpr() = ma.getQualifier()`
`76`	`77`	`)`
`77`	`78`	`}`
`78`	`79`	`}`