Add stubs and tests for new hardcoded-credential sinks

Author: smowton

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheFtpCredentials.java

@@ -0,0 +1,13 @@
+import org.apache.commons.net.ftp.FTPClient;
+
+import java.io.IOException;
+
+public class HardcodedApacheFtpCredentials {
+	public static void main(FTPClient client) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      client.login("username", "password");
+      client.login("username", "password", "blah");
+    } catch(IOException e) { }
+	}
+}

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheSshdCredentials.java

@@ -0,0 +1,12 @@
+import org.apache.sshd.client.SshClient;
+import org.apache.sshd.client.session.AbstractClientSession;
+import java.io.IOException;
+
+public class HardcodedApacheSshdCredentials {
+	public static void main(SshClient client, AbstractClientSession session) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    client.connect("Username", "hostname", 22);
+    client.connect("Username", null);
+    session.addPasswordIdentity("password");
+	}
+}

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected

@@ -15,6 +15,10 @@ edges
 | User.java:2:30:2:39 | DEFAULT_PW : String | User.java:5:15:5:24 | DEFAULT_PW |
 | User.java:2:43:2:50 | "123456" : String | User.java:2:30:2:39 | DEFAULT_PW : String |
 nodes
+| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | semmle.label | "username" |
+| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | semmle.label | "password" |
+| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | semmle.label | "username" |
+| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | semmle.label | "password" |
 | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
 | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
 | HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
@@ -29,14 +33,74 @@ nodes
 | HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
+| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | semmle.label | "username" |
+| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | semmle.label | "password" |
+| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | semmle.label | "Username" |
+| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
+| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | semmle.label | "password" |
+| HardcodedJschCredentials.java:10:41:10:50 | "Username" | semmle.label | "Username" |
+| HardcodedJschCredentials.java:11:42:11:51 | "Username" | semmle.label | "Username" |
+| HardcodedJschCredentials.java:12:27:12:36 | "password" | semmle.label | "password" |
+| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | semmle.label | "Username" |
+| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | semmle.label | "Username" |
+| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | semmle.label | "Username" |
+| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | semmle.label | "Username" |
+| HardcodedMongoCredentials.java:9:44:9:48 | "key" | semmle.label | "key" |
+| HardcodedMongoCredentials.java:10:47:10:51 | "key" | semmle.label | "key" |
+| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
+| HardcodedSshjCredentials.java:8:37:8:46 | "password" | semmle.label | "password" |
+| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | semmle.label | "Username" |
+| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | semmle.label | "Username" |
+| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | semmle.label | "password" |
+| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | semmle.label | "Username" |
+| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | semmle.label | "key" |
+| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | semmle.label | "Username" |
+| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | semmle.label | "Username" |
+| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | semmle.label | "Username" |
+| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | semmle.label | "Username" |
+| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | semmle.label | "password" |
+| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | semmle.label | "Username" |
+| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | semmle.label | "password" |
 | Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
 | Test.java:26:17:26:20 | pass | semmle.label | pass |
 | User.java:2:30:2:39 | DEFAULT_PW : String | semmle.label | DEFAULT_PW : String |
 | User.java:2:43:2:50 | "123456" : String | semmle.label | "123456" : String |
 | User.java:5:15:5:24 | DEFAULT_PW | semmle.label | DEFAULT_PW |
 subpaths
 #select
+| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | sensitive call |
+| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | sensitive call |
+| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | sensitive call |
+| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | sensitive call |
 | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive call |
 | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive call |
+| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | sensitive call |
+| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | sensitive call |
+| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | sensitive call |
+| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | sensitive call |
+| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | sensitive call |
+| HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:10:41:10:50 | "Username" | sensitive call |
+| HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:11:42:11:51 | "Username" | sensitive call |
+| HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:12:27:12:36 | "password" | sensitive call |
+| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | sensitive call |
+| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | sensitive call |
+| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | sensitive call |
+| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | sensitive call |
+| HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:9:44:9:48 | "key" | sensitive call |
+| HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:10:47:10:51 | "key" | sensitive call |
+| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | sensitive call |
+| HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:37:8:46 | "password" | sensitive call |
+| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | sensitive call |
+| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | sensitive call |
+| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | sensitive call |
+| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | sensitive call |
+| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | sensitive call |
+| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | sensitive call |
+| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | sensitive call |
+| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | sensitive call |
+| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | sensitive call |
+| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | sensitive call |
+| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | sensitive call |
+| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | sensitive call |
 | Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass | Hard-coded value flows to $@. | Test.java:26:17:26:20 | pass | sensitive call |
 | User.java:2:43:2:50 | "123456" | User.java:2:43:2:50 | "123456" : String | User.java:5:15:5:24 | DEFAULT_PW | Hard-coded value flows to $@. | User.java:5:15:5:24 | DEFAULT_PW | sensitive call |

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected

@@ -0,0 +1,11 @@
+import ch.ethz.ssh2.Connection;
+import java.io.IOException;
+
+public class HardcodedGanymedSsh2Credentials {
+	public static void main(Connection conn) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+		  conn.authenticateWithPassword("username", "password");
+    } catch(IOException e) { }
+	}
+}

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedGanymedSsh2Credentials.java

@@ -0,0 +1,11 @@
+import com.sshtools.j2ssh.authentication.SshAuthenticationClient;
+import com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;
+
+public class HardcodedJ2sshCredentials {
+  public static void main(SshAuthenticationClient client1, PasswordAuthenticationClient client2) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    client1.setUsername("Username");
+    client2.setUsername("Username");
+    client2.setPassword("password");
+  }
+}

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJ2sshCredentials.java

@@ -0,0 +1,16 @@
+import com.jcraft.jsch.JSch;
+import com.jcraft.jsch.JSchException;
+import com.jcraft.jsch.Session;
+import java.io.IOException;
+
+public class HardcodedJschCredentials {
+	public static void main(JSch jsch) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      Session session = jsch.getSession("Username", "hostname");
+      Session session2 = jsch.getSession("Username", "hostname", 22);
+      session.setPassword("password");
+      session2.setPassword("password".getBytes());
+    } catch(JSchException e) { }
+	}
+}

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJschCredentials.java

@@ -0,0 +1,12 @@
+import com.mongodb.MongoCredential;
+
+public class HardcodedMongoCredentials {
+  public static void test() {
+    MongoCredential.createCredential("Username", "blah", "password".toCharArray());
+    MongoCredential.createMongoCRCredential("Username", "blah", "password".toCharArray());
+    MongoCredential.createPlainCredential("Username", "blah", "password".toCharArray());
+    MongoCredential.createScramSha1Credential("Username", "blah", "password".toCharArray());
+    MongoCredential.createGSSAPICredential("key");
+    MongoCredential.createMongoX509Credential("key");
+  }
+}

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedMongoCredentials.java

@@ -0,0 +1,13 @@
+import net.schmizz.sshj.SSHClient;
+import java.io.IOException;
+
+public class HardcodedSshjCredentials {
+	public static void main(SSHClient client) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+		  client.authPassword("Username", "password");
+      client.authPassword("Username", "password".toCharArray());
+    }
+    catch(IOException e) { }
+	}
+}

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedSshjCredentials.java

@@ -0,0 +1,19 @@
+import com.trilead.ssh2.Connection;
+
+import java.io.IOException;
+import java.io.File;
+
+public class HardcodedTrileadSshCredentials {
+	public static void main(Connection conn) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      conn.authenticateWithPassword("Username", "password");
+      conn.authenticateWithDSA("Username", "password", "key");
+      conn.authenticateWithNone("Username");
+      conn.getRemainingAuthMethods("Username");
+      conn.isAuthMethodAvailable("Username", "method");
+      conn.authenticateWithPublicKey("Username", "key".toCharArray(), "password");
+      conn.authenticateWithPublicKey("Username", (File)null, "password");
+    } catch(IOException e) { }
+  }
+}