Java: UnsafeCertTrust (+ convert test to qlref)

Author: d10c

java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll

@@ -15,16 +15,16 @@ module SslEndpointIdentificationFlowConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof SslUnsafeCertTrustSanitizer }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql@22:8:22:18)
-  }
+  predicate observeDiffInformedIncrementalMode() { any() }
 
-  Location getASelectedSourceLocation(DataFlow::Node source) {
-    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql@22:8:22:18)
-  }
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql@22:8:22:18)
+    exists(Expr unsafeTrust | result = unsafeTrust.getLocation() |
+      unsafeTrust instanceof RabbitMQEnableHostnameVerificationNotSet
+      or
+      sink.asExpr() = unsafeTrust
+    )
   }
 }
 

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.expected

@@ -0,0 +1,13 @@
+| UnsafeCertTrustTest.java:24:3:24:11 | sslEngine | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:25:3:25:11 | sslEngine | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:26:3:26:11 | sslEngine | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:35:3:35:11 | sslEngine | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:36:3:36:11 | sslEngine | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:37:3:37:11 | sslEngine | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:64:3:64:8 | socket | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:74:3:74:8 | socket | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:84:3:84:8 | socket | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:91:3:91:8 | socket | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:141:3:141:8 | socket | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:153:4:153:60 | useSslProtocol(...) | Unsafe configuration of trusted certificates. |
+| UnsafeCertTrustTest.java:157:4:157:70 | setSslContextFactory(...) | Unsafe configuration of trusted certificates. |

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java

@@ -21,9 +21,9 @@ public void testSSLEngineEndpointIdSetNull() throws Exception {
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm(null);
 		sslEngine.setSSLParameters(sslParameters);
-		sslEngine.beginHandshake(); // $hasUnsafeCertTrust
-		sslEngine.wrap(new ByteBuffer[] {}, null); // $hasUnsafeCertTrust
-		sslEngine.unwrap(null, null, 0, 0); // $hasUnsafeCertTrust
+		sslEngine.beginHandshake(); // $ Alert
+		sslEngine.wrap(new ByteBuffer[] {}, null); // $ Alert
+		sslEngine.unwrap(null, null, 0, 0); // $ Alert
 	}
 
 	public void testSSLEngineEndpointIdSetEmpty() throws Exception {
@@ -32,9 +32,9 @@ public void testSSLEngineEndpointIdSetEmpty() throws Exception {
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("");
 		sslEngine.setSSLParameters(sslParameters);
-		sslEngine.beginHandshake(); // $hasUnsafeCertTrust
-		sslEngine.wrap(new ByteBuffer[] {}, null); // $hasUnsafeCertTrust
-		sslEngine.unwrap(null, null, 0, 0); // $hasUnsafeCertTrust
+		sslEngine.beginHandshake(); // $ Alert
+		sslEngine.wrap(new ByteBuffer[] {}, null); // $ Alert
+		sslEngine.unwrap(null, null, 0, 0); // $ Alert
 	}
 
 	public void testSSLEngineEndpointIdSafe() throws Exception {
@@ -61,7 +61,7 @@ public void testSSLSocketEndpointIdNotSet() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
-		socket.getOutputStream(); // $hasUnsafeCertTrust
+		socket.getOutputStream(); // $ Alert
 	}
 
 	public void testSSLSocketEndpointIdSetNull() throws Exception {
@@ -71,7 +71,7 @@ public void testSSLSocketEndpointIdSetNull() throws Exception {
 		SSLParameters sslParameters = socket.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm(null);
 		socket.setSSLParameters(sslParameters);
-		socket.getOutputStream(); // $hasUnsafeCertTrust
+		socket.getOutputStream(); // $ Alert
 	}
 
 	public void testSSLSocketEndpointIdSetEmpty() throws Exception {
@@ -81,14 +81,14 @@ public void testSSLSocketEndpointIdSetEmpty() throws Exception {
 		SSLParameters sslParameters = socket.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("");
 		socket.setSSLParameters(sslParameters);
-		socket.getOutputStream(); // $hasUnsafeCertTrust
+		socket.getOutputStream(); // $ Alert
 	}
 
 	public void testSSLSocketEndpointIdAfterConnecting() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
-		socket.getOutputStream(); // $hasUnsafeCertTrust
+		socket.getOutputStream(); // $ Alert
 		SSLParameters sslParameters = socket.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
 		socket.setSSLParameters(sslParameters);
@@ -138,7 +138,7 @@ public void testSSLSocketEndpointIdSafeWithSanitizerInCast(boolean safe) throws
 		SSLParameters sslParameters = sslSocket.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
 		sslSocket.setSSLParameters(sslParameters);
-		socket.getOutputStream(); // $ SPURIOUS: hasUnsafeCertTrust
+		socket.getOutputStream(); // $ SPURIOUS: Alert
 	}
 
 	public void testSocketEndpointIdNotSet() throws Exception {
@@ -150,11 +150,11 @@ public void testSocketEndpointIdNotSet() throws Exception {
 	public void testRabbitMQFactoryEnableHostnameVerificationNotSet() throws Exception {
 		{
 			ConnectionFactory connectionFactory = new ConnectionFactory();
-			connectionFactory.useSslProtocol(SSLContext.getDefault()); // $hasUnsafeCertTrust
+			connectionFactory.useSslProtocol(SSLContext.getDefault()); // $ Alert
 		}
 		{
 			ConnectionFactory connectionFactory = new ConnectionFactory();
-			connectionFactory.setSslContextFactory(new TestSslContextFactory()); // $hasUnsafeCertTrust
+			connectionFactory.setSslContextFactory(new TestSslContextFactory()); // $ Alert
 		}
 	}
 

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-273/UnsafeCertTrust.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql