github
diff --git a/‎java/change-notes/2021-06-28-unsafe-cert-trust-query.md
Lines changed: 1 addition & 1 deletion b/‎java/change-notes/2021-06-28-unsafe-cert-trust-query.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql
Lines changed: 1 addition & 14 deletions b/‎java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql
Lines changed: 1 addition & 14 deletions
diff --git a/‎java/ql/src/semmle/code/java/security/UnsafeCertTrust.qll
Lines changed: 0 additions & 42 deletions b/‎java/ql/src/semmle/code/java/security/UnsafeCertTrust.qll
Lines changed: 0 additions & 42 deletions
diff --git a/‎java/ql/src/semmle/code/java/security/UnsafeCertTrustQuery.qll
Lines changed: 62 additions & 0 deletions b/‎java/ql/src/semmle/code/java/security/UnsafeCertTrustQuery.qll
Lines changed: 62 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql
Lines changed: 4 additions & 16 deletions b/‎java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql
Lines changed: 4 additions & 16 deletions
@@ -1,2 +1,2 @@
 lgtm,codescanning
-* The query "Unsafe certificate trust" (`java/unsafe-cert-trust`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3550)
+* The query "Unsafe certificate trust" (`java/unsafe-cert-trust`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3550).
@@ -12,20 +12,7 @@
  */
 
 import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.UnsafeCertTrust
-
-class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
-  SslEndpointIdentificationFlowConfig() { this = "SslEndpointIdentificationFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer instanceof SslUnsafeCertTrustSanitizer
-  }
-}
+import semmle.code.java.security.UnsafeCertTrustQuery
 
 from Expr unsafeTrust
 where
 
@@ -4,7 +4,6 @@ import java
 private import semmle.code.java.frameworks.Networking
 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.DataFlow
-private import semmle.code.java.dataflow.DataFlow2
 
 /**
  * The creation of an object that prepares an SSL connection.
@@ -50,19 +49,6 @@ class SslConnectionCreation extends DataFlow::Node {
  */
 abstract class SslUnsafeCertTrustSanitizer extends DataFlow::Node { }
 
-/**
- * An SSL object that was assigned a safe `SSLParameters` object and can be considered safe.
- */
-private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {
-  SslConnectionWithSafeSslParameters() {
-    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe, DataFlow::Node sanitizer |
-      config.hasFlowTo(safe) and
-      sanitizer = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier()) and
-      DataFlow::localFlow(sanitizer, this)
-    )
-  }
-}
-
 /**
  * An `SSLEngine` set in server mode.
  */
@@ -92,34 +78,6 @@ private predicate isSslSocket(MethodAccess createSocket) {
   createSocket.getQualifier().getType().(RefType).getASupertype*() instanceof SSLSocketFactory
 }
 
-private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
-  SafeSslParametersFlowConfig() { this = "SafeSslParametersFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(MethodAccess ma |
-      ma instanceof SafeSetEndpointIdentificationAlgorithm and
-      DataFlow::getInstanceArgument(ma) = source.(DataFlow::PostUpdateNode).getPreUpdateNode()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, RefType t | t instanceof SSLSocket or t instanceof SSLEngine |
-      ma.getMethod().hasName("setSSLParameters") and
-      ma.getMethod().getDeclaringType().getASupertype*() = t and
-      ma.getArgument(0) = sink.asExpr()
-    )
-  }
-}
-
-private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
-  SafeSetEndpointIdentificationAlgorithm() {
-    this.getMethod().hasName("setEndpointIdentificationAlgorithm") and
-    this.getMethod().getDeclaringType() instanceof SSLParameters and
-    not this.getArgument(0) instanceof NullLiteral and
-    not this.getArgument(0).(CompileTimeConstantExpr).getStringValue().length() = 0
-  }
-}
-
 /**
  * A call to a method that enables SSL (`useSslProtocol` or `setSslContextFactory`)
  * on an instance of `com.rabbitmq.client.ConnectionFactory` that doesn't set `enableHostnameVerification`.
 
@@ -0,0 +1,62 @@
+/** Provides taint tracking configurations to be used by unsafe certificate trust queries. */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.UnsafeCertTrust
+import semmle.code.java.security.Encryption
+
+class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
+  SslEndpointIdentificationFlowConfig() { this = "SslEndpointIdentificationFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof SslUnsafeCertTrustSanitizer
+  }
+}
+
+/**
+ * An SSL object that was assigned a safe `SSLParameters` object and can be considered safe.
+ */
+private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {
+  SslConnectionWithSafeSslParameters() {
+    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe, DataFlow::Node sanitizer |
+      config.hasFlowTo(safe) and
+      sanitizer = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier()) and
+      DataFlow::localFlow(sanitizer, this)
+    )
+  }
+}
+
+private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
+  SafeSslParametersFlowConfig() { this = "SafeSslParametersFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(MethodAccess ma |
+      ma instanceof SafeSetEndpointIdentificationAlgorithm and
+      DataFlow::getInstanceArgument(ma) = source.(DataFlow::PostUpdateNode).getPreUpdateNode()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma, RefType t | t instanceof SSLSocket or t instanceof SSLEngine |
+      ma.getMethod().hasName("setSSLParameters") and
+      ma.getMethod().getDeclaringType().getASupertype*() = t and
+      ma.getArgument(0) = sink.asExpr()
+    )
+  }
+}
+
+/**
+ * A call to `SSLParameters.setEndpointIdentificationAlgorithm` with a non-null and non-zero parameter.
+ */
+private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
+  SafeSetEndpointIdentificationAlgorithm() {
+    this.getMethod().hasName("setEndpointIdentificationAlgorithm") and
+    this.getMethod().getDeclaringType() instanceof SSLParameters and
+    not this.getArgument(0) instanceof NullLiteral and
+    not this.getArgument(0).(CompileTimeConstantExpr).getStringValue().length() = 0
+  }
+}
@@ -1,21 +1,7 @@
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.UnsafeCertTrust
+import semmle.code.java.security.UnsafeCertTrustQuery
 import TestUtilities.InlineExpectationsTest
 
-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "qltest:cwe:unsafe-cert-trust" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
-
-  override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer instanceof SslUnsafeCertTrustSanitizer
-  }
-}
-
 class UnsafeCertTrustTest extends InlineExpectationsTest {
   UnsafeCertTrustTest() { this = "HasUnsafeCertTrustTest" }
 
@@ -26,7 +12,9 @@ class UnsafeCertTrustTest extends InlineExpectationsTest {
     exists(Expr unsafeTrust |
       unsafeTrust instanceof RabbitMQEnableHostnameVerificationNotSet
       or
-      exists(Conf config | config.hasFlowTo(DataFlow::exprNode(unsafeTrust)))
+      exists(SslEndpointIdentificationFlowConfig config |
+        config.hasFlowTo(DataFlow::exprNode(unsafeTrust))
+      )
     |
       unsafeTrust.getLocation() = location and
       element = unsafeTrust.toString() and
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`lgtm,codescanning`
`2`		-* The query "Unsafe certificate trust" (`java/unsafe-cert-trust`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3550)
	`2`	+* The query "Unsafe certificate trust" (`java/unsafe-cert-trust`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3550).