Move public classes/predicates to top of library file

egregius313 · egregius313 · commit 0eaf222b54dd · 2023-03-27T12:16:44.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuth.qll
@@ -5,31 +5,6 @@ private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.frameworks.Networking
 private import semmle.code.java.frameworks.Jndi
 
-/**
- * An insecure (non-SSL, non-private) LDAP URL string literal.
- */
-private class InsecureLdapUrlLiteral extends StringLiteral {
-  InsecureLdapUrlLiteral() {
-    // Match connection strings with the LDAP protocol and without private IP addresses to reduce false positives.
-    exists(string s | this.getValue() = s |
-      s.regexpMatch("(?i)ldap://[\\[a-zA-Z0-9].*") and
-      not s.substring(7, s.length()) instanceof PrivateHostName
-    )
-  }
-}
-
-/** The class `java.util.Hashtable`. */
-private class TypeHashtable extends Class {
-  TypeHashtable() { this.getSourceDeclaration().hasQualifiedName("java.util", "Hashtable") }
-}
-
-/** Get the string value of an expression representing a hostname. */
-private string getHostname(Expr expr) {
-  result = expr.(CompileTimeConstantExpr).getStringValue() or
-  result =
-    expr.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
-}
-
 /**
  * An expression that represents an insecure (non-SSL, non-private) LDAP URL.
  */
@@ -54,6 +29,34 @@ class InsecureLdapUrl extends Expr {
   }
 }
 
+/**
+ * A sink representing the construction of a `DirContextEnvironment`.
+ */
+class InsecureLdapUrlSink extends DataFlow::Node {
+  InsecureLdapUrlSink() {
+    exists(ConstructorCall cc |
+      cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
+      this.asExpr() = cc.getArgument(0)
+    )
+  }
+}
+
+/**
+ * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
+ */
+predicate isBasicAuthEnv(MethodAccess ma) {
+  hasFieldValueEnv(ma, "java.naming.security.authentication", "simple") or
+  hasFieldNameEnv(ma, "SECURITY_AUTHENTICATION", "simple")
+}
+
+/**
+ * Holds if `ma` sets `java.naming.security.protocol` (also known as `Context.SECURITY_PROTOCOL`) to `ssl` in some `Hashtable`.
+ */
+predicate isSslEnv(MethodAccess ma) {
+  hasFieldValueEnv(ma, "java.naming.security.protocol", "ssl") or
+  hasFieldNameEnv(ma, "SECURITY_PROTOCOL", "ssl")
+}
+
 /**
  * Holds if `ma` writes the `java.naming.provider.url` (also known as `Context.PROVIDER_URL`) key of a `Hashtable`.
  */
@@ -71,11 +74,36 @@ predicate isProviderUrlSetter(MethodAccess ma) {
   )
 }
 
+/**
+ * An insecure (non-SSL, non-private) LDAP URL string literal.
+ */
+private class InsecureLdapUrlLiteral extends StringLiteral {
+  InsecureLdapUrlLiteral() {
+    // Match connection strings with the LDAP protocol and without private IP addresses to reduce false positives.
+    exists(string s | this.getValue() = s |
+      s.regexpMatch("(?i)ldap://[\\[a-zA-Z0-9].*") and
+      not s.substring(7, s.length()) instanceof PrivateHostName
+    )
+  }
+}
+
+/** The class `java.util.Hashtable`. */
+private class TypeHashtable extends Class {
+  TypeHashtable() { this.getSourceDeclaration().hasQualifiedName("java.util", "Hashtable") }
+}
+
+/** Get the string value of an expression representing a hostname. */
+private string getHostname(Expr expr) {
+  result = expr.(CompileTimeConstantExpr).getStringValue() or
+  result =
+    expr.(VarAccess).getVariable().getAnAssignedValue().(CompileTimeConstantExpr).getStringValue()
+}
+
 /**
  * Holds if `ma` sets `fieldValue` to `envValue` in some `Hashtable`.
  */
 bindingset[fieldValue, envValue]
-predicate hasFieldValueEnv(MethodAccess ma, string fieldValue, string envValue) {
+private predicate hasFieldValueEnv(MethodAccess ma, string fieldValue, string envValue) {
   // environment.put("java.naming.security.authentication", "simple")
   ma.getMethod().getDeclaringType().getAnAncestor() instanceof TypeHashtable and
   ma.getMethod().hasName(["put", "setProperty"]) and
@@ -98,28 +126,3 @@ private predicate hasFieldNameEnv(MethodAccess ma, string fieldName, string envV
   ) and
   ma.getArgument(1).(CompileTimeConstantExpr).getStringValue() = envValue
 }
-
-/**
- * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
- */
-predicate isBasicAuthEnv(MethodAccess ma) {
-  hasFieldValueEnv(ma, "java.naming.security.authentication", "simple") or
-  hasFieldNameEnv(ma, "SECURITY_AUTHENTICATION", "simple")
-}
-
-/**
- * Holds if `ma` sets `java.naming.security.protocol` (also known as `Context.SECURITY_PROTOCOL`) to `ssl` in some `Hashtable`.
- */
-predicate isSslEnv(MethodAccess ma) {
-  hasFieldValueEnv(ma, "java.naming.security.protocol", "ssl") or
-  hasFieldNameEnv(ma, "SECURITY_PROTOCOL", "ssl")
-}
-
-class InsecureLdapUrlSink extends DataFlow::Node {
-  InsecureLdapUrlSink() {
-    exists(ConstructorCall cc |
-      cc.getConstructedType().getAnAncestor() instanceof TypeDirContext and
-      this.asExpr() = cc.getArgument(0)
-    )
-  }
-}
