Refactor into libraries

atorralba · atorralba · commit ab4dc30f5457 · 2022-01-20T10:23:18.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll
@@ -0,0 +1,101 @@
+import java
+private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.security.Encryption
+private import semmle.code.java.security.SecurityFlag
+
+/** The creation of an insecure `TrustManager`. */
+abstract class InsecureTrustManagerSource extends DataFlow::Node { }
+
+private class DefaultInsecureTrustManagerSource extends InsecureTrustManagerSource {
+  DefaultInsecureTrustManagerSource() {
+    this.asExpr().(ClassInstanceExpr).getConstructedType() instanceof InsecureX509TrustManager
+  }
+}
+
+/**
+ * The use of a `TrustManager` in an SSL context.
+ * Intentionally insecure connections are not considered sinks.
+ */
+abstract class InsecureTrustManagerSink extends DataFlow::Node {
+  InsecureTrustManagerSink() { not isGuardedByInsecureFlag(this) }
+}
+
+private class DefaultInsecureTrustManagerSink extends InsecureTrustManagerSink {
+  DefaultInsecureTrustManagerSink() {
+    exists(MethodAccess ma, Method m |
+      m.hasName("init") and
+      m.getDeclaringType() instanceof SSLContext and
+      ma.getMethod() = m
+    |
+      ma.getArgument(1) = this.asExpr()
+    )
+  }
+}
+
+/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
+private predicate isGuardedByInsecureFlag(DataFlow::Node node) {
+  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
+    g = getASecurityFeatureFlagGuard() or g = getAnInsecureTrustManagerFlagGuard()
+  )
+}
+
+/**
+ * An insecure `X509TrustManager`.
+ * An `X509TrustManager` is considered insecure if it never throws a `CertificateException`
+ * and therefore implicitly trusts any certificate as valid.
+ */
+private class InsecureX509TrustManager extends RefType {
+  InsecureX509TrustManager() {
+    this.getASupertype*() instanceof X509TrustManager and
+    exists(Method m |
+      m.getDeclaringType() = this and
+      m.hasName("checkServerTrusted") and
+      not mayThrowCertificateException(m)
+    )
+  }
+}
+
+/** The `java.security.cert.CertificateException` class. */
+private class CertificateException extends RefType {
+  CertificateException() { this.hasQualifiedName("java.security.cert", "CertificateException") }
+}
+
+/**
+ * Holds if:
+ * - `m` may `throw` a `CertificateException`, or
+ * - `m` calls another method that may throw, or
+ * - `m` calls a method declared to throw a `CertificateException`, but for which no source is available
+ */
+private predicate mayThrowCertificateException(Method m) {
+  exists(ThrowStmt throwStmt |
+    throwStmt.getThrownExceptionType().getASupertype*() instanceof CertificateException
+  |
+    throwStmt.getEnclosingCallable() = m
+  )
+  or
+  exists(Method otherMethod | m.polyCalls(otherMethod) |
+    mayThrowCertificateException(otherMethod)
+    or
+    not otherMethod.fromSource() and
+    otherMethod.getAnException().getType().getASupertype*() instanceof CertificateException
+  )
+}
+
+/**
+ * Flags suggesting a deliberately insecure `TrustManager` usage.
+ */
+private class InsecureTrustManagerFlag extends FlagKind {
+  InsecureTrustManagerFlag() { this = "InsecureTrustManagerFlag" }
+
+  bindingset[result]
+  override string getAFlagName() {
+    result
+        .regexpMatch("(?i).*(secure|disable|selfCert|selfSign|validat|verif|trust|ignore|nocertificatecheck).*") and
+    result != "equalsIgnoreCase"
+  }
+}
+
+/** Gets a guard that represents a (likely) flag controlling an insecure `TrustManager` use. */
+private Guard getAnInsecureTrustManagerFlagGuard() {
+  result = any(InsecureTrustManagerFlag flag).getAFlag().asExpr()
+}
diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll
@@ -0,0 +1,20 @@
+/** Provides taint tracking configurations to be used in Trust Manager queries. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.Encryption
+import semmle.code.java.security.InsecureTrustManager
+
+/**
+ * A configuration to model the flow of an insecure `TrustManager`
+ * to the initialization of an SSL context.
+ */
+class InsecureTrustManagerConfiguration extends TaintTracking::Configuration {
+  InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof InsecureTrustManagerSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
+}
diff --git a/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql b/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
@@ -10,108 +10,11 @@
  */
 
 import java
-import semmle.code.java.controlflow.Guards
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.Encryption
-import semmle.code.java.security.SecurityFlag
+import semmle.code.java.security.InsecureTrustManagerQuery
 import DataFlow::PathGraph
 
-/**
- * An insecure `X509TrustManager`.
- * An `X509TrustManager` is considered insecure if it never throws a `CertificateException`
- * and therefore implicitly trusts any certificate as valid.
- */
-class InsecureX509TrustManager extends RefType {
-  InsecureX509TrustManager() {
-    this.getASupertype*() instanceof X509TrustManager and
-    exists(Method m |
-      m.getDeclaringType() = this and
-      m.hasName("checkServerTrusted") and
-      not mayThrowCertificateException(m)
-    )
-  }
-}
-
-/** The `java.security.cert.CertificateException` class. */
-private class CertificateException extends RefType {
-  CertificateException() { this.hasQualifiedName("java.security.cert", "CertificateException") }
-}
-
-/**
- * Holds if:
- * - `m` may `throw` a `CertificateException`, or
- * - `m` calls another method that may throw, or
- * - `m` calls a method declared to throw a `CertificateException`, but for which no source is available
- */
-private predicate mayThrowCertificateException(Method m) {
-  exists(ThrowStmt throwStmt |
-    throwStmt.getThrownExceptionType().getASupertype*() instanceof CertificateException
-  |
-    throwStmt.getEnclosingCallable() = m
-  )
-  or
-  exists(Method otherMethod | m.polyCalls(otherMethod) |
-    mayThrowCertificateException(otherMethod)
-    or
-    not otherMethod.fromSource() and
-    otherMethod.getAnException().getType().getASupertype*() instanceof CertificateException
-  )
-}
-
-/**
- * A configuration to model the flow of an `InsecureX509TrustManager` to an `SSLContext.init` call.
- */
-class InsecureTrustManagerConfiguration extends TaintTracking::Configuration {
-  InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof InsecureX509TrustManager
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, Method m |
-      m.hasName("init") and
-      m.getDeclaringType() instanceof SSLContext and
-      ma.getMethod() = m
-    |
-      ma.getArgument(1) = sink.asExpr()
-    )
-  }
-}
-
-/**
- * Flags suggesting a deliberately insecure `TrustManager` usage.
- */
-private class InsecureTrustManagerFlag extends FlagKind {
-  InsecureTrustManagerFlag() { this = "InsecureTrustManagerFlag" }
-
-  bindingset[result]
-  override string getAFlagName() {
-    result
-        .regexpMatch("(?i).*(secure|disable|selfCert|selfSign|validat|verif|trust|ignore|nocertificatecheck).*") and
-    result != "equalsIgnoreCase"
-  }
-}
-
-/** Gets a guard that represents a (likely) flag controlling an insecure `TrustManager` use. */
-private Guard getAnInsecureTrustManagerFlagGuard() {
-  result = any(InsecureTrustManagerFlag flag).getAFlag().asExpr()
-}
-
-/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
-private predicate isNodeGuardedByFlag(DataFlow::Node node) {
-  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
-    g = getASecurityFeatureFlagGuard() or g = getAnInsecureTrustManagerFlagGuard()
-  )
-}
-
-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, InsecureTrustManagerConfiguration cfg,
-  RefType trustManager
-where
-  cfg.hasFlowPath(source, sink) and
-  not isNodeGuardedByFlag(sink.getNode()) and
-  trustManager = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
-select sink, source, sink, "$@ that is defined $@ and trusts any certificate, is used here.",
-  source, "This trustmanager", trustManager, "here"
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink)
+select sink, source, sink, "This $@, that is defined $@, trusts any certificate and is used here.",
+  source, "TrustManager", source.getNode().asExpr().(ClassInstanceExpr).getConstructedType(), "here"
diff --git a/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected b/java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected
