Merge pull request #10041 from smowton/AddSensitiveApiCalls

Java: support more libraries in hardcoded-credentials queries

Author: smowton

java/ql/lib/change-notes/2022-08-13-more-hardcoded-credential-apis.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/hardcoded-credential-api-call` now recognises methods that consume usernames, passwords and keys from the JSch, Ganymed, Apache SSHD, sshj, Trilead SSH-2, Apache FTPClient and MongoDB projects. 

java/ql/src/Security/CWE/CWE-798/HardcodedCredentials.qll renamed to java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides classes and predicates relating to hardcoded credentials.
+ */
+
 import java
 import SensitiveApi
 

java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll

@@ -0,0 +1,54 @@
+/**
+ * Provides a data-flow configuration for tracking a hard-coded credential in a call to a sensitive Java API which may compromise security.
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import HardcodedCredentials
+
+/**
+ * A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
+ */
+class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
+  HardcodedCredentialApiCallConfiguration() { this = "HardcodedCredentialApiCallConfiguration" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr() instanceof HardcodedExpr and
+    not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
+  }
+
+  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.asExpr().getType() instanceof TypeString and
+    (
+      exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
+        node2.asExpr() = ma and
+        ma.getQualifier() = node1.asExpr()
+      )
+      or
+      // These base64 routines are usually taint propagators, and this is not a general
+      // TaintTracking::Configuration, so we must specifically include them here
+      // as a common transform applied to a constant before passing to a remote API.
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .hasQualifiedName([
+                "java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
+                "apache.commons.codec.binary", "org.springframework.util"
+              ], ["Base64$Encoder", "Base64$Decoder", "Base64", "Base64Utils"],
+              [
+                "encode", "encodeToString", "decode", "decodeBase64", "encodeBase64",
+                "encodeBase64Chunked", "encodeBase64String", "encodeBase64URLSafe",
+                "encodeBase64URLSafeString"
+              ])
+      |
+        node1.asExpr() = ma.getArgument(0) and
+        node2.asExpr() = ma
+      )
+    )
+  }
+
+  override predicate isBarrier(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod() instanceof MethodSystemGetenv
+  }
+}

java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll

@@ -0,0 +1,26 @@
+/**
+ * Provides classes and predicates to detect comparing a parameter to a hard-coded credential.
+ */
+
+import java
+import HardcodedCredentials
+
+/**
+ * A call to a method that is or overrides `java.lang.Object.equals`.
+ */
+class EqualsAccess extends MethodAccess {
+  EqualsAccess() { getMethod() instanceof EqualsMethod }
+}
+
+/**
+ * Holds if `sink` compares password `p` against a hardcoded expression `source`.
+ */
+predicate isHardcodedCredentialsComparison(
+  EqualsAccess sink, HardcodedExpr source, PasswordVariable p
+) {
+  source = sink.getQualifier() and
+  p.getAnAccess() = sink.getArgument(0)
+  or
+  source = sink.getArgument(0) and
+  p.getAnAccess() = sink.getQualifier()
+}

java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll

@@ -0,0 +1,51 @@
+/**
+ * Provides classes to detect using a hard-coded credential in a sensitive call.
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.DataFlow2
+import HardcodedCredentials
+
+/**
+ * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
+ * it may be a credential, excluding those which flow on to other such insecure usage sites.
+ */
+class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
+  HardcodedCredentialSourceCallConfiguration() {
+    this = "HardcodedCredentialSourceCallConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }
+
+  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
+}
+
+/**
+ * A data-flow configuration that tracks flow from an argument whose corresponding parameter name suggests
+ * a credential, to an argument to a sensitive call.
+ */
+class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
+  HardcodedCredentialSourceCallConfiguration2() {
+    this = "HardcodedCredentialSourceCallConfiguration2"
+  }
+
+  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof CredentialsSourceSink }
+
+  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
+}
+
+/**
+ * An argument to a call, where the parameter name corresponding
+ * to the argument indicates that it may contain credentials, and
+ * where this expression does not flow on to another `CredentialsSink`.
+ */
+class FinalCredentialsSourceSink extends CredentialsSourceSink {
+  FinalCredentialsSourceSink() {
+    not exists(HardcodedCredentialSourceCallConfiguration2 conf, CredentialsSink other |
+      this != other
+    |
+      conf.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(other))
+    )
+  }
+}

java/ql/lib/semmle/code/java/security/HardcodedPasswordField.qll

@@ -0,0 +1,15 @@
+/**
+ * Provides a predicate identifying assignments of harcoded values to password fields.
+ */
+
+import java
+import HardcodedCredentials
+
+/**
+ * Holds if non-empty constant value `e` is assigned to password field `f`.
+ */
+predicate passwordFieldAssignedHardcodedValue(PasswordVariable f, CompileTimeConstantExpr e) {
+  f instanceof Field and
+  f.getAnAssignedValue() = e and
+  not e.(StringLiteral).getValue() = ""
+}

java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll renamed to java/ql/lib/semmle/code/java/security/SensitiveApi.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides predicates defining methods that consume sensitive data, such as usernames and passwords.
+ */
+
 import java
 
 /**
@@ -438,6 +442,49 @@ private predicate otherApiCallableCredentialParam(string s) {
       "com.azure.identity.UsernamePasswordCredentialBuilder;username(String);0",
       "com.azure.identity.UsernamePasswordCredentialBuilder;password(String);0",
       "com.azure.identity.ClientSecretCredentialBuilder;clientSecret(String);0",
-      "org.apache.shiro.mgt.AbstractRememberMeManager;setCipherKey(byte[]);0"
+      "org.apache.shiro.mgt.AbstractRememberMeManager;setCipherKey(byte[]);0",
+      "com.jcraft.jsch.JSch;getSession(String, String, int);0",
+      "com.jcraft.jsch.JSch;getSession(String, String);0",
+      "ch.ethz.ssh2.Connection;authenticateWithPassword(String, String);0",
+      "org.apache.sshd.client.session.ClientSessionCreator;connect(String, String, int);0",
+      "org.apache.sshd.client.session.ClientSessionCreator;connect(String, SocketAddress);0",
+      "net.schmizz.sshj.SSHClient;authPassword(String, char[]);0",
+      "net.schmizz.sshj.SSHClient;authPassword(String, String);0",
+      "com.sshtools.j2ssh.authentication.SshAuthenticationClient;setUsername(String);0",
+      "com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;setUsername(String);0",
+      "com.trilead.ssh2.Connection;authenticateWithPassword(String, String);0",
+      "com.trilead.ssh2.Connection;authenticateWithDSA(String, String, String);0",
+      "com.trilead.ssh2.Connection;authenticateWithNone(String);0",
+      "com.trilead.ssh2.Connection;getRemainingAuthMethods(String);0",
+      "com.trilead.ssh2.Connection;isAuthMethodAvailable(String, String);0",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, char[], String);0",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, File, String);0",
+      "com.jcraft.jsch.Session;setPassword(byte[]);0",
+      "com.jcraft.jsch.Session;setPassword(String);0",
+      "ch.ethz.ssh2.Connection;authenticateWithPassword(String, String);1",
+      "org.apache.sshd.client.session.AbstractClientSession;addPasswordIdentity(String);0",
+      "net.schmizz.sshj.SSHClient;authPassword(String, char[]);1",
+      "net.schmizz.sshj.SSHClient;authPassword(String, String);1",
+      "com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;setPassword(String);0",
+      "com.trilead.ssh2.Connection;authenticateWithPassword(String, String);1",
+      "com.trilead.ssh2.Connection;authenticateWithDSA(String, String, String);2",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, char[], String);2",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, File, String);2",
+      "com.trilead.ssh2.Connection;authenticateWithDSA(String, String, String);1",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, char[], String);1",
+      "org.apache.commons.net.ftp.FTPClient;login(String, String);0",
+      "org.apache.commons.net.ftp.FTPClient;login(String, String, String);0",
+      "org.apache.commons.net.ftp.FTPClient;login(String, String);1",
+      "org.apache.commons.net.ftp.FTPClient;login(String, String, String);1",
+      "com.mongodb.MongoCredential;createCredential(String, String, char[]);0",
+      "com.mongodb.MongoCredential;createMongoCRCredential(String, String, char[]);0",
+      "com.mongodb.MongoCredential;createPlainCredential(String, String, char[]);0",
+      "com.mongodb.MongoCredential;createScramSha1Credential(String, String, char[]);0",
+      "com.mongodb.MongoCredential;createGSSAPICredential(String);0",
+      "com.mongodb.MongoCredential;createMongoX509Credential(String);0",
+      "com.mongodb.MongoCredential;createCredential(String, String, char[]);2",
+      "com.mongodb.MongoCredential;createMongoCRCredential(String, String, char[]);2",
+      "com.mongodb.MongoCredential;createPlainCredential(String, String, char[]);2",
+      "com.mongodb.MongoCredential;createScramSha1Credential(String, String, char[]);2"
     ]
 }

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql

@@ -10,55 +10,9 @@
  *       external/cwe/cwe-798
  */
 
-import java
-import semmle.code.java.dataflow.DataFlow
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentialsApiCallQuery
 import DataFlow::PathGraph
 
-class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
-  HardcodedCredentialApiCallConfiguration() { this = "HardcodedCredentialApiCallConfiguration" }
-
-  override predicate isSource(DataFlow::Node n) {
-    n.asExpr() instanceof HardcodedExpr and
-    not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
-  }
-
-  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node1.asExpr().getType() instanceof TypeString and
-    (
-      exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
-        node2.asExpr() = ma and
-        ma.getQualifier() = node1.asExpr()
-      )
-      or
-      // These base64 routines are usually taint propagators, and this is not a general
-      // TaintTracking::Configuration, so we must specifically include them here
-      // as a common transform applied to a constant before passing to a remote API.
-      exists(MethodAccess ma |
-        ma.getMethod()
-            .hasQualifiedName([
-                "java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
-                "apache.commons.codec.binary", "org.springframework.util"
-              ], ["Base64$Encoder", "Base64$Decoder", "Base64", "Base64Utils"],
-              [
-                "encode", "encodeToString", "decode", "decodeBase64", "encodeBase64",
-                "encodeBase64Chunked", "encodeBase64String", "encodeBase64URLSafe",
-                "encodeBase64URLSafeString"
-              ])
-      |
-        node1.asExpr() = ma.getArgument(0) and
-        node2.asExpr() = ma
-      )
-    )
-  }
-
-  override predicate isBarrier(DataFlow::Node n) {
-    n.asExpr().(MethodAccess).getMethod() instanceof MethodSystemGetenv
-  }
-}
-
 from
   DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialApiCallConfiguration conf
 where conf.hasFlowPath(source, sink)

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql

@@ -11,17 +11,8 @@
  */
 
 import java
-import HardcodedCredentials
-
-class EqualsAccess extends MethodAccess {
-  EqualsAccess() { getMethod() instanceof EqualsMethod }
-}
+import semmle.code.java.security.HardcodedCredentialsComparison
 
 from EqualsAccess sink, HardcodedExpr source, PasswordVariable p
-where
-  source = sink.getQualifier() and
-  p.getAnAccess() = sink.getArgument(0)
-  or
-  source = sink.getArgument(0) and
-  p.getAnAccess() = sink.getQualifier()
+where isHardcodedCredentialsComparison(sink, source, p)
 select source, "Hard-coded value is $@ with password variable $@.", sink, "compared", p, p.getName()

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql

@@ -11,41 +11,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.DataFlow2
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
 import DataFlow::PathGraph
 
-class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
-  HardcodedCredentialSourceCallConfiguration() {
-    this = "HardcodedCredentialSourceCallConfiguration"
-  }
-
-  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }
-
-  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
-}
-
-class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
-  HardcodedCredentialSourceCallConfiguration2() {
-    this = "HardcodedCredentialSourceCallConfiguration2"
-  }
-
-  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof CredentialsSourceSink }
-
-  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
-}
-
-class FinalCredentialsSourceSink extends CredentialsSourceSink {
-  FinalCredentialsSourceSink() {
-    not exists(HardcodedCredentialSourceCallConfiguration2 conf, CredentialsSink other |
-      this != other
-    |
-      conf.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(other))
-    )
-  }
-}
-
 from
   DataFlow::PathNode source, DataFlow::PathNode sink,
   HardcodedCredentialSourceCallConfiguration conf