Skip to content

Commit 484533c

Browse files
intrigusintrigus
committed
Java: Flag "intentionally" unsafe methods in tests.
Previously intentionally unsafe methods such as `disableCertificate` would be ignored by this query. But now they will also be flagged as it is hard to guess intentions... Adjust the tests to account for this change.
1 parent 7023793 commit 484533c

File tree

2 files changed

+14
-10
lines changed

2 files changed

+14
-10
lines changed

java/ql/test/query-tests/security/CWE-295/InsecureTrustManager.expected

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,14 @@
11
edges
2-
| InsecureTrustManagerTest.java:40:55:40:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:41:23:41:34 | trustManager |
3-
| InsecureTrustManagerTest.java:48:56:48:81 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:49:24:49:35 | trustManager |
2+
| InsecureTrustManagerTest.java:42:55:42:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:43:23:43:34 | trustManager |
3+
| InsecureTrustManagerTest.java:50:56:50:81 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:51:24:51:35 | trustManager |
4+
| InsecureTrustManagerTest.java:91:54:91:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:92:22:92:33 | trustManager |
45
nodes
5-
| InsecureTrustManagerTest.java:40:55:40:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
6-
| InsecureTrustManagerTest.java:41:23:41:34 | trustManager | semmle.label | trustManager |
7-
| InsecureTrustManagerTest.java:48:56:48:81 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
8-
| InsecureTrustManagerTest.java:49:24:49:35 | trustManager | semmle.label | trustManager |
6+
| InsecureTrustManagerTest.java:42:55:42:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
7+
| InsecureTrustManagerTest.java:43:23:43:34 | trustManager | semmle.label | trustManager |
8+
| InsecureTrustManagerTest.java:50:56:50:81 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
9+
| InsecureTrustManagerTest.java:51:24:51:35 | trustManager | semmle.label | trustManager |
10+
| InsecureTrustManagerTest.java:91:54:91:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
11+
| InsecureTrustManagerTest.java:92:22:92:33 | trustManager | semmle.label | trustManager |
912
#select
10-
| InsecureTrustManagerTest.java:41:23:41:34 | trustManager | InsecureTrustManagerTest.java:40:55:40:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:41:23:41:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:40:55:40:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:20:23:20:42 | InsecureTrustManager | here |
13+
| InsecureTrustManagerTest.java:43:23:43:34 | trustManager | InsecureTrustManagerTest.java:42:55:42:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:43:23:43:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:42:55:42:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:22:23:22:42 | InsecureTrustManager | here |
14+
| InsecureTrustManagerTest.java:92:22:92:33 | trustManager | InsecureTrustManagerTest.java:91:54:91:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:92:22:92:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:91:54:91:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:22:23:22:42 | InsecureTrustManager | here |

java/ql/test/query-tests/security/CWE-295/InsecureTrustManagerTest.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -89,9 +89,9 @@ public static void main(String[] args) throws Exception {
8989
private static void disableTrustManager() throws NoSuchAlgorithmException, KeyManagementException {
9090
SSLContext context = SSLContext.getInstance("TLS");
9191
TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
92-
context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the
92+
context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the
9393
// certificate
94-
// chain, allowing any certificate. BUT it is the method name suggests that this
95-
// is intentional.
94+
// chain, allowing any certificate. The method name suggests that this may be
95+
// intentional, but we flag it anyway.
9696
}
9797
}

0 commit comments

Comments
 (0)