@@ -89,22 +89,36 @@ predicate isProviderUrlSetter(MethodAccess ma) {
8989}
9090
9191/**
92- * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple ` in some `Hashtable`.
92+ * Holds if `ma` sets `fieldValue` with attribute name `fieldName` to `envValue ` in some `Hashtable`.
9393 */
94- predicate isSimpleAuthEnv ( MethodAccess ma ) {
94+ bindingset [ fieldName, fieldValue, envValue]
95+ predicate hasEnvWithValue ( MethodAccess ma , string fieldName , string fieldValue , string envValue ) {
9596 ma .getMethod ( ) .getDeclaringType ( ) .getAnAncestor ( ) instanceof TypeHashtable and
9697 ( ma .getMethod ( ) .hasName ( "put" ) or ma .getMethod ( ) .hasName ( "setProperty" ) ) and
9798 (
98- ma .getArgument ( 0 ) .( CompileTimeConstantExpr ) .getStringValue ( ) =
99- "java.naming.security.authentication"
99+ ma .getArgument ( 0 ) .( CompileTimeConstantExpr ) .getStringValue ( ) = fieldValue
100100 or
101101 exists ( Field f |
102102 ma .getArgument ( 0 ) = f .getAnAccess ( ) and
103- f .hasName ( "SECURITY_AUTHENTICATION" ) and
103+ f .hasName ( fieldName ) and
104104 f .getDeclaringType ( ) instanceof TypeNamingContext
105105 )
106106 ) and
107- ma .getArgument ( 1 ) .( CompileTimeConstantExpr ) .getStringValue ( ) = "simple"
107+ ma .getArgument ( 1 ) .( CompileTimeConstantExpr ) .getStringValue ( ) = envValue
108+ }
109+
110+ /**
111+ * Holds if `ma` sets `java.naming.security.authentication` (also known as `Context.SECURITY_AUTHENTICATION`) to `simple` in some `Hashtable`.
112+ */
113+ predicate isSimpleAuthEnv ( MethodAccess ma ) {
114+ hasEnvWithValue ( ma , "SECURITY_AUTHENTICATION" , "java.naming.security.authentication" , "simple" )
115+ }
116+
117+ /**
118+ * Holds if `ma` sets `java.naming.security.protocol` (also known as `Context.SECURITY_PROTOCOL`) to `ssl` in some `Hashtable`.
119+ */
120+ predicate isSSLEnv ( MethodAccess ma ) {
121+ hasEnvWithValue ( ma , "SECURITY_PROTOCOL" , "java.naming.security.protocol" , "ssl" )
108122}
109123
110124/**
@@ -124,6 +138,10 @@ class LdapAuthFlowConfig extends TaintTracking::Configuration {
124138 exists ( MethodAccess sma |
125139 sma .getQualifier ( ) = pma .getQualifier ( ) .( VarAccess ) .getVariable ( ) .getAnAccess ( ) and
126140 isSimpleAuthEnv ( sma )
141+ ) and
142+ not exists ( MethodAccess sma |
143+ sma .getQualifier ( ) = pma .getQualifier ( ) .( VarAccess ) .getVariable ( ) .getAnAccess ( ) and
144+ isSSLEnv ( sma )
127145 )
128146 )
129147 }
0 commit comments