Refactor InsecureTrustManager

Author: egregius313

java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll

@@ -5,10 +5,12 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.InsecureTrustManager
 
 /**
+ * DEPRECATED: Use `InsecureTrustManagerFlow` instead.
+ *
  * A configuration to model the flow of an insecure `TrustManager`
  * to the initialization of an SSL context.
  */
-class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
+deprecated class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
   InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -23,3 +25,21 @@ class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
     c instanceof DataFlow::ArrayContent
   }
 }
+
+/**
+ * A configuration to model the flow of an insecure `TrustManager`
+ * to the initialization of an SSL context.
+ */
+private module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof InsecureTrustManagerSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    (isSink(node) or isAdditionalFlowStep(node, _)) and
+    node.getType() instanceof Array and
+    c instanceof DataFlow::ArrayContent
+  }
+}
+
+module InsecureTrustManagerFlow = DataFlow::Global<InsecureTrustManagerConfig>;

java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql

@@ -13,10 +13,10 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.security.InsecureTrustManagerQuery
-import DataFlow::PathGraph
+import InsecureTrustManagerFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink)
+from InsecureTrustManagerFlow::PathNode source, InsecureTrustManagerFlow::PathNode sink
+where InsecureTrustManagerFlow::flowPath(source, sink)
 select sink, source, sink, "This uses $@, which is defined in $@ and trusts any certificate.",
   source, "TrustManager",
   source.getNode().asExpr().(ClassInstanceExpr).getConstructedType() as type, type.nestedName()

java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql

@@ -1,13 +1,18 @@
 import java
 import semmle.code.java.security.InsecureTrustManagerQuery
-import TestUtilities.InlineFlowTest
+import TestUtilities.InlineExpectationsTest
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
+class InsecureTrustManagerTest extends InlineExpectationsTest {
+  InsecureTrustManagerTest() { this = "InsecureTrustManagerTest" }
+
+  override string getARelevantTag() { result = "hasValueFlow" }
 
-class InsecureTrustManagerTest extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() {
-    result = any(InsecureTrustManagerConfiguration c)
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node sink | InsecureTrustManagerFlow::flowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
   }
 }