Use InlineExpectationsTest

Author: atorralba

java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll

@@ -34,8 +34,9 @@ class SslConnectionCreation extends DataFlow::Node {
     // calls to SocketFactory.createSocket with parameters immediately create the connection
     exists(MethodAccess ma, Method m |
       ma.getMethod() = m and
-      m instanceof CreateSocket and
-      m.getNumberOfParameters() > 0
+      m instanceof CreateSocketMethod and
+      m.getNumberOfParameters() > 0 and
+      isSslSocket(ma)
     |
       this.asExpr() = ma
     )
@@ -55,6 +56,20 @@ class SslConnectionWithSafeSslParameters extends DataFlow::Node {
   }
 }
 
+/**
+ * Holds if the return value of `createSocket` is cast to `SSLSocket`
+ * or the qualifier of `createSocket` is an instance of `SSLSocketFactory`.
+ */
+private predicate isSslSocket(MethodAccess createSocket) {
+  exists(Variable ssl, CastExpr ce |
+    ce.getExpr() = createSocket and
+    ce.getControlFlowNode().getASuccessor().(VariableAssign).getDestVar() = ssl and
+    ssl.getType() instanceof SSLSocket
+  )
+  or
+  createSocket.getQualifier().getType().(RefType).getASupertype*() instanceof SSLSocketFactory
+}
+
 private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
   SafeSslParametersFlowConfig() { this = "SafeSslParametersFlowConfig" }
 
@@ -85,7 +100,7 @@ private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
 
 /**
  * A call to the method `useSslProtocol` on an instance of `com.rabbitmq.client.ConnectionFactory`
- * that doesn't have `enableHostnameVerification` set.
+ * that doesn't set `enableHostnameVerification`.
  */
 class RabbitMQEnableHostnameVerificationNotSet extends MethodAccess {
   RabbitMQEnableHostnameVerificationNotSet() {

java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql

@@ -27,10 +27,10 @@ class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
   }
 }
 
-from Expr unsafeConfig
+from Expr unsafeTrust
 where
-  unsafeConfig instanceof RabbitMQEnableHostnameVerificationNotSet or
+  unsafeTrust instanceof RabbitMQEnableHostnameVerificationNotSet or
   exists(SslEndpointIdentificationFlowConfig config |
-    config.hasFlowTo(DataFlow::exprNode(unsafeConfig))
+    config.hasFlowTo(DataFlow::exprNode(unsafeTrust))
   )
-select unsafeConfig, "Unsafe configuration of trusted certificates"
+select unsafeTrust, "Unsafe configuration of trusted certificates"

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrust.expected

@@ -19,7 +19,7 @@ public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorith
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm(null);
 		sslEngine.setSSLParameters(sslParameters);
-		sslEngine.getSession();
+		sslEngine.getSession(); // $hasUnsafeCertTrust
 	}
 
 	/**
@@ -28,7 +28,7 @@ public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorith
 	public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
-		sslEngine.getSession();
+		sslEngine.getSession(); // $hasUnsafeCertTrust
 	}
 
 	/**
@@ -40,7 +40,7 @@ public void testSSLEngineEndpointIdSafe() throws java.security.NoSuchAlgorithmEx
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
 		sslEngine.setSSLParameters(sslParameters);
-		sslEngine.getSession();
+		sslEngine.getSession(); // Safe
 	}
 
 	/**
@@ -49,8 +49,8 @@ public void testSSLEngineEndpointIdSafe() throws java.security.NoSuchAlgorithmEx
 	public void testSSLSocketImmediatelyConnects()
 			throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
-		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
-		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
+		SocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust
 	}
 
 	/**
@@ -59,9 +59,9 @@ public void testSSLSocketImmediatelyConnects()
 	public void testSSLSocketEndpointIdNotSet()
 			throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
-		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
-		socket.connect(new InetSocketAddress("www.example.com", 443));
+		socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
 	}
 
 	/**
@@ -70,12 +70,12 @@ public void testSSLSocketEndpointIdNotSet()
 	public void testSSLSocketEndpointIdSetNull()
 			throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
-		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
 		SSLParameters sslParameters = socket.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm(null);
 		socket.setSSLParameters(sslParameters);
-		socket.connect(new InetSocketAddress("www.example.com", 443));
+		socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
 	}
 
 	/**
@@ -84,12 +84,12 @@ public void testSSLSocketEndpointIdSetNull()
 	public void testSSLSocketEndpointIdSetEmpty()
 			throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
-		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
 		SSLParameters sslParameters = socket.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("");
 		socket.setSSLParameters(sslParameters);
-		socket.connect(new InetSocketAddress("www.example.com", 443));
+		socket.connect(new InetSocketAddress("www.example.com", 443)); // $hasUnsafeCertTrust
 	}
 
 	/**
@@ -98,8 +98,8 @@ public void testSSLSocketEndpointIdSetEmpty()
 	public void testSSLSocketEndpointIdAfterConnecting()
 			throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
-		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
-		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443);
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust
 		SSLParameters sslParameters = socket.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
 		socket.setSSLParameters(sslParameters);
@@ -111,36 +111,36 @@ public void testSSLSocketEndpointIdAfterConnecting()
 	public void testSSLSocketEndpointIdSafe()
 			throws java.security.NoSuchAlgorithmException, java.io.IOException {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
-		final SSLSocketFactory socketFactory = sslContext.getSocketFactory();
+		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
 		SSLParameters sslParameters = socket.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
 		socket.setSSLParameters(sslParameters);
-		socket.connect(new InetSocketAddress("www.example.com", 443));
+		socket.connect(new InetSocketAddress("www.example.com", 443)); // Safe
 	}
 
 	/**
 	 * Test the endpoint identification of regular socket is not set
 	 */
 	public void testSocketEndpointIdNotSet() throws java.io.IOException {
 		SocketFactory socketFactory = SocketFactory.getDefault();
-		Socket socket = socketFactory.createSocket("www.example.com", 80);
+		Socket socket = socketFactory.createSocket("www.example.com", 80); // Safe
 	}
 
 	/**
 	 * Test the enableHostnameVerification of RabbitMQConnectionFactory is not set
 	 */
 	public void testRabbitMQFactoryEnableHostnameVerificationNotSet() throws Exception {
 		ConnectionFactory connectionFactory = new ConnectionFactory();
-		connectionFactory.useSslProtocol();
+		connectionFactory.useSslProtocol(); // $hasUnsafeCertTrust
 	}
 
 	/**
 	 * Test the enableHostnameVerification of RabbitMQConnectionFactory is not set
 	 */
 	public void testRabbitMQFactorySafe() throws Exception {
 		ConnectionFactory connectionFactory = new ConnectionFactory();
-		connectionFactory.useSslProtocol();
+		connectionFactory.useSslProtocol(); // Safe
 		connectionFactory.enableHostnameVerification();
 	}
 }

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrust.qlref

@@ -0,0 +1,38 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.UnsafeCertTrust
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:cwe:unsafe-cert-trust" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof SslConnectionWithSafeSslParameters
+  }
+}
+
+class UnsafeCertTrustTest extends InlineExpectationsTest {
+  UnsafeCertTrustTest() { this = "HasUnsafeCertTrustTest" }
+
+  override string getARelevantTag() { result = "hasUnsafeCertTrust" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasUnsafeCertTrust" and
+    exists(Expr unsafeTrust |
+      unsafeTrust instanceof X509TrustAllManagerInit
+      or
+      unsafeTrust instanceof RabbitMQEnableHostnameVerificationNotSet
+      or
+      exists(Conf config | config.hasFlowTo(DataFlow::exprNode(unsafeTrust)))
+    |
+      unsafeTrust.getLocation() = location and
+      element = unsafeTrust.toString() and
+      value = ""
+    )
+  }
+}