Change InsecureTrustManagerConfiguration to DataFlow

github · atorralba · Jan 24, 2022 · Nov 12, 2021 · Nov 12, 2021 · Nov 12, 2021
commit 967308fbfda50db4ec66634b82258828bb539461
@@ -2,19 +2,24 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.Encryption
 import semmle.code.java.security.InsecureTrustManager
 
 /**
  * A configuration to model the flow of an insecure `TrustManager`
  * to the initialization of an SSL context.
  */
-class InsecureTrustManagerConfiguration extends TaintTracking::Configuration {
+class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
   InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof InsecureTrustManagerSource
   }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalFlowStep(node, _)) and
+    node.getType() instanceof Array and
+    c instanceof DataFlow::ArrayContent
+  }
 }
@@ -121,7 +121,7 @@ private static void directInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 	}
 
 	private static void namedVariableFlagDirectInsecureTrustManagerCall()
@@ -145,7 +145,7 @@ private static void noNamedVariableFlagDirectInsecureTrustManagerCall()
 		if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
 			SSLContext context = SSLContext.getInstance("TLS");
 			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasTaintFlow
+			context.init(null, trustManager, null); // $ hasValueFlow
 		}
 	}
 
@@ -177,7 +177,7 @@ private static void noStringLiteralFlagDirectInsecureTrustManagerCall()
 		if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
 			SSLContext context = SSLContext.getInstance("TLS");
 			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasTaintFlow
+			context.init(null, trustManager, null); // $ hasValueFlow
 		}
 	}
 
@@ -209,7 +209,7 @@ private static void noMethodAccessFlagDirectInsecureTrustManagerCall()
 		if (is42TheAnswerForEverything()) {
 			SSLContext context = SSLContext.getInstance("TLS");
 			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasTaintFlow
+			context.init(null, trustManager, null); // $ hasValueFlow
 		}
 	}
 
@@ -226,7 +226,7 @@ private static void isEqualsIgnoreCaseDirectInsecureTrustManagerCall()
 		if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
 			SSLContext context = SSLContext.getInstance("TLS");
 			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasTaintFlow
+			context.init(null, trustManager, null); // $ hasValueFlow
 		}
 	}
 
@@ -244,7 +244,7 @@ private static void noIsEqualsIgnoreCaseDirectInsecureTrustManagerCall()
 		if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
 			SSLContext context = SSLContext.getInstance("TLS");
 			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // $ hasTaintFlow
+			context.init(null, trustManager, null); // $ hasValueFlow
 		}
 	}
 
@@ -264,7 +264,7 @@ private static void namedVariableFlagNOTGuardingDirectInsecureTrustManagerCall()
 
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 
 	}
 
@@ -276,7 +276,7 @@ private static void noNamedVariableFlagNOTGuardingDirectInsecureTrustManagerCall
 
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 
 	}
 
@@ -288,7 +288,7 @@ private static void stringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall()
 
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 
 	}
 
@@ -300,7 +300,7 @@ private static void noStringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall
 
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 
 	}
 
@@ -312,7 +312,7 @@ private static void methodAccessFlagNOTGuardingDirectInsecureTrustManagerCall()
 
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 
 	}
 
@@ -324,7 +324,7 @@ private static void noMethodAccessFlagNOTGuardingDirectInsecureTrustManagerCall(
 
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 	}
 
 	private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
@@ -336,7 +336,7 @@ private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall(
 
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 
 	}
 
@@ -349,14 +349,14 @@ private static void noIsEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCal
 
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 
 	}
 
 	private static void disableTrustManager()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		SSLContext context = SSLContext.getInstance("TLS");
 		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // $ hasTaintFlow
+		context.init(null, trustManager, null); // $ hasValueFlow
 	}
 }
@@ -3,9 +3,7 @@ import semmle.code.java.security.InsecureTrustManagerQuery
 import TestUtilities.InlineFlowTest
 
 class InsecureTrustManagerTest extends InlineFlowTest {
-  override DataFlow::Configuration getValueFlowConfig() { none() }
-
-  override TaintTracking::Configuration getTaintFlowConfig() {
+  override DataFlow::Configuration getValueFlowConfig() {
     result = any(InsecureTrustManagerConfiguration c)
   }
 }