Apply suggestions from code review

atorralba · aschackmull · atorralba · commit a86cbd884edf · 2021-10-05T09:40:22.000+02:00
Co-authored-by: Anders Schack-Mulligen &lt;aschackmull@users.noreply.github.com&gt;
diff --git a/java/ql/lib/semmle/code/java/frameworks/Mail.qll b/java/ql/lib/semmle/code/java/frameworks/Mail.qll
diff --git a/java/ql/lib/semmle/code/java/security/Mail.qll b/java/ql/lib/semmle/code/java/security/Mail.qll
@@ -10,10 +10,10 @@ private import semmle.code.java.frameworks.Properties
  *    set the `mail.smtp.ssl.socketFactory`/`mail.smtp.ssl.socketFactory.class` property to create an SMTP SSL socket.
  * 2. No `mail.smtp.ssl.checkserveridentity` property is enabled.
  */
-predicate isInsecureMailPropertyConfig(VarAccess propertiesVarAccess) {
+predicate isInsecureMailPropertyConfig(Variable properties) {
   exists(MethodAccess ma |
     ma.getMethod() instanceof SetPropertyMethod and
-    ma.getQualifier() = propertiesVarAccess.getVariable().getAnAccess()
+    ma.getQualifier() = properties.getAnAccess()
   |
     getStringValue(ma.getArgument(0)).matches("%.auth%") and //mail.smtp.auth
     getStringValue(ma.getArgument(1)) = "true"
@@ -22,7 +22,7 @@ predicate isInsecureMailPropertyConfig(VarAccess propertiesVarAccess) {
   ) and
   not exists(MethodAccess ma |
     ma.getMethod() instanceof SetPropertyMethod and
-    ma.getQualifier() = propertiesVarAccess.getVariable().getAnAccess()
+    ma.getQualifier() = properties.getAnAccess()
   |
     getStringValue(ma.getArgument(0)).matches("%.ssl.checkserveridentity%") and //mail.smtp.ssl.checkserveridentity
     getStringValue(ma.getArgument(1)) = "true"
@@ -39,19 +39,20 @@ predicate enablesEmailSsl(MethodAccess ma) {
 }
 
 /**
- * Holds if a SSL certificate check is enabled on `va` with Apache Email
+ * Holds if a SSL certificate check is enabled on an access of `apacheEmail` with Apache Email.
  */
-predicate hasSslCertificateCheck(VarAccess va) {
+predicate hasSslCertificateCheck(Variable apacheEmail) {
   exists(MethodAccess ma |
-    ma.getQualifier() = va.getVariable().getAnAccess() and
+    ma.getQualifier() = apacheEmail.getAnAccess() and
     ma.getMethod().hasName("setSSLCheckServerIdentity") and
     ma.getMethod().getDeclaringType() instanceof ApacheEmail and
     ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true
   )
 }
 
 /**
- * Helper method to get string value of an argument
+ * Returns the string value of `expr` if it is a `CompileTimeConstantExpr`,
+ * or the string value of its operands if it is an `AddExpr`.
  */
 private string getStringValue(Expr expr) {
   result = expr.(CompileTimeConstantExpr).getStringValue()
@@ -60,7 +61,8 @@ private string getStringValue(Expr expr) {
 }
 
 /**
- * A method to set Java properties
+ * A method to set Java properties, either using the `Properties` class
+ * or the `Dictionary` class.
  */
 private class SetPropertyMethod extends Method {
   SetPropertyMethod() {
diff --git a/java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.ql b/java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.ql
@@ -5,6 +5,7 @@
  *              makes the session susceptible to a man-in-the-middle attack.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/insecure-smtp-ssl
  * @tags security
@@ -17,7 +18,7 @@ import semmle.code.java.security.Mail
 from MethodAccess ma
 where
   ma.getMethod() instanceof MailSessionGetInstanceMethod and
-  isInsecureMailPropertyConfig(ma.getArgument(0))
+  isInsecureMailPropertyConfig(ma.getArgument(0).(VarAccess).getVariable())
   or
-  enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier())
+  enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier().(VarAccess).getVariable())
 select ma, "Java mailing has insecure SSL configuration"
diff --git a/java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.ql b/java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.ql
@@ -15,9 +15,10 @@ class InsecureJavaMailTest extends InlineExpectationsTest {
       value = ""
     |
       ma.getMethod() instanceof MailSessionGetInstanceMethod and
-      isInsecureMailPropertyConfig(ma.getArgument(0))
+      isInsecureMailPropertyConfig(ma.getArgument(0).(VarAccess).getVariable())
       or
-      enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier())
+      enablesEmailSsl(ma) and
+      not hasSslCertificateCheck(ma.getQualifier().(VarAccess).getVariable())
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,10 @@ class InsecureJavaMailTest extends InlineExpectationsTest {`
`15`	`15`	`value = ""`
`16`	`16`	`\|`
`17`	`17`	`ma.getMethod() instanceof MailSessionGetInstanceMethod and`
`18`		`- isInsecureMailPropertyConfig(ma.getArgument(0))`
	`18`	`+ isInsecureMailPropertyConfig(ma.getArgument(0).(VarAccess).getVariable())`
`19`	`19`	`or`
`20`		`- enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier())`
	`20`	`+ enablesEmailSsl(ma) and`
	`21`	`+ not hasSslCertificateCheck(ma.getQualifier().(VarAccess).getVariable())`
`21`	`22`	`)`
`22`	`23`	`}`
`23`	`24`	`}`