Fixed another false-positive in CWE-297/IgnoredHostnameVerification.ql

artem-smotrakov · artem-smotrakov · commit 825fe1797ada · 2022-01-16T18:55:49.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql b/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
@@ -51,8 +51,11 @@ private class CheckFailedHostnameVerificationConfig extends DataFlow::Configurat
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(Guard guard, ThrowStmt throwStmt |
-      guard.controls(throwStmt.getBasicBlock(), _) and
+    exists(Guard guard, ThrowStmt throwStmt, ReturnStmt returnStmt |
+      (
+        guard.controls(throwStmt.getBasicBlock(), false) or
+        guard.controls(returnStmt.getBasicBlock(), true)
+      ) and
       (
         guard = sink.asExpr() or
         guard.(EqualityTest).getAnOperand() = sink.asExpr() or
@@ -64,4 +67,4 @@ private class CheckFailedHostnameVerificationConfig extends DataFlow::Configurat
 
 from HostnameVerificationCall verification
 where verification.isIgnored()
-select verification, "Ignored result of hostname verification."
+select verification, "Ignored result of hostname verification."
diff --git a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java
@@ -90,17 +90,30 @@ public static SSLSocket connectWithHostnameVerification03(
     throw new SSLException("Oops! Hostname verification failed!");
   }
 
+  // GOOD: connect and check result of HostnameVerifier.verify()
+  public static String connectWithHostnameVerification04(
+      String[] hosts, HostnameVerifier verifier, SSLSession session) throws IOException {
+
+    for (String host : hosts) {
+      if (verifier.verify(host, session)) {
+        return host;
+      }
+    }
+
+    throw new SSLException("Oops! Hostname verification failed!");
+  }
+
   public static class HostnameVerifierWrapper implements HostnameVerifier {
 
     private final HostnameVerifier verifier;
 
     public HostnameVerifierWrapper(HostnameVerifier verifier) {
-        this.verifier = verifier;
+      this.verifier = verifier;
     }
 
     @Override
     public boolean verify(String hostname, SSLSession session) {
-        return verifier.verify(hostname, session); // GOOD: wrapped calls should not be reported
+      return verifier.verify(hostname, session); // GOOD: wrapped calls should not be reported
     }
 
   }
