+
+
+ An HTTP server which does not use SSL/TLS is vulnerable to man-in-the-middle attacks.
+
+
+ Please, note that it may be safe to ignore this, only if you intend your application to be placed
+ behind a loadbalancer, which is itself securing the connections with the appropriate certificates.
+
+
+
+
+ Use SSL/TLS to encrypt the communication between the client and the server.
+
+
+
+ Instead of setting up a plain HTTP server that doesn't use SSL, such as this one:
+
+
+
+
+ when creating an HTTP server, the setSsl method should be called on the
+ HttpServerOptions
+ object, and the setKeyStoreOptions method should be called on the
+ HttpServerOptions
+ object with a KeyStoreOptions
+ object as an argument.
+
+ For example, code such as the one illustrated below should be used to create an HTTP server and secure
+ it with SSL:
+
+
+
+
+
+
+
+
+ Vert.x documentation
+
+
+
+
diff --git a/src/main/ql/InvocationOfVertxVertx.ql b/src/main/ql/InvocationOfVertxVertx.ql
new file mode 100644
index 0000000..327f0dd
--- /dev/null
+++ b/src/main/ql/InvocationOfVertxVertx.ql
@@ -0,0 +1,35 @@
+/**
+ * @name Invocation of VertX.vertx()
+ * @description The VertX.vertx() method should not be invoked directly.
+ * @kind problem
+ * @problem.severity high
+ * @id java/vertx/invocation-of-vertx-vertx
+ * @tags security java/vertx
+ */
+
+import java
+
+class Vertx extends RefType {
+ Vertx() {
+ this.getASourceSupertype*().hasQualifiedName("io.vertx.core", "Vertx")
+ }
+}
+
+class VertxCreateHttpServerMethodAccess extends MethodAccess {
+ VertxCreateHttpServerMethodAccess() {
+ exists(Method m |
+ this.getMethod() = m and
+ m.getName().matches("vertx") and
+ m.getDeclaringType() instanceof Vertx
+ )
+ }
+}
+
+from VertxCreateHttpServerMethodAccess call
+where
+ not call.getEnclosingCallable().getDeclaringType() instanceof Vertx and
+ not call.getLocation().getFile().getRelativePath().matches("%src/test/%") and
+ call.getNumArgument() = 0
+select
+ call,
+ "Invocation of VertX.vertx()"
diff --git a/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.expected b/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.expected
new file mode 100644
index 0000000..8c4487e
--- /dev/null
+++ b/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.expected
@@ -0,0 +1 @@
+| InvocationOfVertxVertx.java:13:9:13:21 | vertx(...) | Invocation of VertX.vertx() |
diff --git a/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.java b/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.java
new file mode 100644
index 0000000..a37e5ab
--- /dev/null
+++ b/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.java
@@ -0,0 +1,16 @@
+package org.carlspring.security.vertx.http;
+
+import io.vertx.core.Vertx;
+
+/**
+ * @author carlspring
+ */
+public class InvocationOfVertxVertx
+{
+
+ public void start()
+ {
+ Vertx.vertx();
+ }
+
+}
diff --git a/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.qlref b/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.qlref
new file mode 100644
index 0000000..9ce67e9
--- /dev/null
+++ b/src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.qlref
@@ -0,0 +1 @@
+InvocationOfVertxVertx.ql
diff --git a/src/test/ql/test/query-tests/InvocationOfVertxVertx/options b/src/test/ql/test/query-tests/InvocationOfVertxVertx/options
new file mode 100644
index 0000000..a16b40d
--- /dev/null
+++ b/src/test/ql/test/query-tests/InvocationOfVertxVertx/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/ -source 17
diff --git a/src/test/ql/test/query-tests/InvocationOfVertxVertx/pom.xml b/src/test/ql/test/query-tests/InvocationOfVertxVertx/pom.xml
new file mode 100644
index 0000000..38f2317
--- /dev/null
+++ b/src/test/ql/test/query-tests/InvocationOfVertxVertx/pom.xml
@@ -0,0 +1,83 @@
+