github · atorralba · Jan 24, 2022 · Nov 12, 2021 · Nov 12, 2021 · Nov 12, 2021
@@ -1,28 +1,52 @@
+/** Provides classes and predicates to reason about insecure `TrustManager`s. */
+
+import java
+private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.security.Encryption
+private import semmle.code.java.security.SecurityFlag
+
+/** The creation of an insecure `TrustManager`. */
+abstract class InsecureTrustManagerSource extends DataFlow::Node { }
+
+private class DefaultInsecureTrustManagerSource extends InsecureTrustManagerSource {
+  DefaultInsecureTrustManagerSource() {
+    this.asExpr().(ClassInstanceExpr).getConstructedType() instanceof InsecureX509TrustManager
+  }
+}
+
 /**
- * @name `TrustManager` that accepts all certificates
- * @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id java/insecure-trustmanager
- * @tags security
- *       external/cwe/cwe-295
+ * The use of a `TrustManager` in an SSL context.
+ * Intentionally insecure connections are not considered sinks.
  */
+abstract class InsecureTrustManagerSink extends DataFlow::Node {
+  InsecureTrustManagerSink() { not isGuardedByInsecureFlag(this) }
+}
 
-import java
-import semmle.code.java.controlflow.Guards
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.Encryption
-import semmle.code.java.security.SecurityFlag
-import DataFlow::PathGraph
+private class DefaultInsecureTrustManagerSink extends InsecureTrustManagerSink {
+  DefaultInsecureTrustManagerSink() {
+    exists(MethodAccess ma, Method m |
+      m.hasName("init") and
+      m.getDeclaringType() instanceof SSLContext and
+      ma.getMethod() = m
+    |
+      ma.getArgument(1) = this.asExpr()
+    )
+  }
+}
+
+/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
+private predicate isGuardedByInsecureFlag(DataFlow::Node node) {
+  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
+    g = getASecurityFeatureFlagGuard() or g = getAnInsecureTrustManagerFlagGuard()
+  )
+}
 
 /**
  * An insecure `X509TrustManager`.
  * An `X509TrustManager` is considered insecure if it never throws a `CertificateException`
  * and therefore implicitly trusts any certificate as valid.
  */
-class InsecureX509TrustManager extends RefType {
+private class InsecureX509TrustManager extends RefType {
   InsecureX509TrustManager() {
     this.getASupertype*() instanceof X509TrustManager and
     exists(Method m |
@@ -59,27 +83,6 @@ private predicate mayThrowCertificateException(Method m) {
   )
 }
 
-/**
- * A configuration to model the flow of an `InsecureX509TrustManager` to an `SSLContext.init` call.
- */
-class InsecureTrustManagerConfiguration extends TaintTracking::Configuration {
-  InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof InsecureX509TrustManager
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, Method m |
-      m.hasName("init") and
-      m.getDeclaringType() instanceof SSLContext and
-      ma.getMethod() = m
-    |
-      ma.getArgument(1) = sink.asExpr()
-    )
-  }
-}
-
 /**
  * Flags suggesting a deliberately insecure `TrustManager` usage.
  */
@@ -98,20 +101,3 @@ private class InsecureTrustManagerFlag extends FlagKind {
 private Guard getAnInsecureTrustManagerFlagGuard() {
   result = any(InsecureTrustManagerFlag flag).getAFlag().asExpr()
 }
-
-/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
-private predicate isNodeGuardedByFlag(DataFlow::Node node) {
-  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
-    g = getASecurityFeatureFlagGuard() or g = getAnInsecureTrustManagerFlagGuard()
-  )
-}
-
-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, InsecureTrustManagerConfiguration cfg,
-  RefType trustManager
-where
-  cfg.hasFlowPath(source, sink) and
-  not isNodeGuardedByFlag(sink.getNode()) and
-  trustManager = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
-select sink, source, sink, "$@ that is defined $@ and trusts any certificate, is used here.",
-  source, "This trustmanager", trustManager, "here"
@@ -0,0 +1,25 @@
+/** Provides taint tracking configurations to be used in Trust Manager queries. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.InsecureTrustManager
+
+/**
+ * A configuration to model the flow of an insecure `TrustManager`
+ * to the initialization of an SSL context.
+ */
+class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
+  InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof InsecureTrustManagerSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalFlowStep(node, _)) and
+    node.getType() instanceof Array and
+    c instanceof DataFlow::ArrayContent
+  }
+}
@@ -4,8 +4,8 @@
 <qhelp>
 <overview>
 <p>
-If the <code>checkServerTrusted</code> method of a <code>TrustManager</code> never throws a <code>CertificateException</code> it trusts every certificate.
-This allows an attacker to perform a machine-in-the-middle attack against the application therefore breaking any security Transport Layer Security (TLS) gives.
+If the <code>checkServerTrusted</code> method of a <code>TrustManager</code> never throws a <code>CertificateException</code>, it trusts every certificate.
+This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.
 </p>
 
 <p>
@@ -42,6 +42,6 @@ is loaded into a <code>KeyStore</code>. This explicitly defines the certificate
 </example>
 
 <references>
-<li>Android Develoers:<a href="https://developer.android.com/training/articles/security-ssl">Security with HTTPS and SSL</a>.</li>
+<li>Android Developers: <a href="https://developer.android.com/training/articles/security-ssl">Security with HTTPS and SSL</a>.</li>
 </references>
 </qhelp>
@@ -0,0 +1,21 @@
+/**
+ * @name `TrustManager` that accepts all certificates
+ * @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id java/insecure-trustmanager
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.InsecureTrustManagerQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink)
+select sink, source, sink, "This $@, which is defined $@ and trusts any certificate, is used here.",
+  source, "TrustManager", source.getNode().asExpr().(ClassInstanceExpr).getConstructedType(), "here"
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The query "`TrustManager` that accepts all certificates" (`java/insecure-trustmanager`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @intrigus-lgtm](https://github.com/github/codeql/pull/4879).