Handle a specific pass-by-reference flow issue

Author: atorralba

java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll

@@ -97,7 +97,7 @@ private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
   override predicate isSource(DataFlow::Node source) {
     exists(MethodAccess ma |
       ma instanceof SafeSetEndpointIdentificationAlgorithm and
-      ma.getQualifier() = source.asExpr()
+      DataFlow::getInstanceArgument(ma) = source.(DataFlow::PostUpdateNode).getPreUpdateNode()
     )
   }
 

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java

@@ -102,6 +102,20 @@ public void testSSLSocketEndpointIdSafe() throws Exception {
 		socket.getOutputStream(); // Safe
 	}
 
+	public void testSSLSocketEndpointIdSafeWithModificationByReference() throws Exception {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
+		SSLParameters sslParameters = socket.getSSLParameters();
+		onSetSSLParameters(sslParameters);
+		socket.setSSLParameters(sslParameters);
+		socket.getOutputStream(); // Safe
+	}
+
+	private void onSetSSLParameters(SSLParameters sslParameters) {
+		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+	}
+
 	public void testSocketEndpointIdNotSet() throws Exception {
 		SocketFactory socketFactory = SocketFactory.getDefault();
 		Socket socket = socketFactory.createSocket("www.example.com", 80);