Use InlineExpectationsTest

Author: atorralba

java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth.expected

@@ -11,21 +11,21 @@
 import java.net.URLConnection;
 import java.util.Base64;
 
-public class InsecureBasicAuth {
+public class InsecureBasicAuthTest {
 	/**
 	 * Test basic authentication with Apache HTTP POST request using string constructor.
 	 */
 	public void testApacheHttpRequest(String username, String password) {
 		String host = "www.example.com";
-		HttpRequestBase post = new HttpPost("http://"+host+"/rest/getuser.do?uid=abcdx");
+		HttpRequestBase post = new HttpPost("http://" + host + "/rest/getuser.do?uid=abcdx");
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
-		
+
 		String authString = username + ":" + password;
 		byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
 		String authStringEnc = new String(authEncBytes);
 
-		post.addHeader("Authorization", "Basic " + authStringEnc);
+		post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth
 	}
 
 	/**
@@ -35,7 +35,8 @@ public void testApacheHttpRequest2(String url) throws java.io.IOException {
 		String urlStr = "http://www.example.com:8000/payment/retrieve";
 		HttpGet get = new HttpGet(urlStr);
 		get.setHeader("Accept", "application/json");
-		get.setHeader("Authorization", "Basic " + new String(Base64.getEncoder().encode("admin:test".getBytes())));
+		get.setHeader("Authorization", // $hasInsecureBasicAuth
+				"Basic " + new String(Base64.getEncoder().encode("admin:test".getBytes())));
 	}
 
 	/**
@@ -46,44 +47,47 @@ public void testApacheHttpRequest3(String username, String password) {
 		HttpRequestBase post = new HttpPost(URI.create(uriStr));
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
-		
+
 		String authString = username + ":" + password;
 		byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
 		String authStringEnc = new String(authEncBytes);
 
-		post.addHeader("Authorization", "Basic " + authStringEnc);
+		post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth
 	}
 
 	/**
-	 * Test basic authentication with Apache HTTP POST request using the URI constructor with one argument.
+	 * Test basic authentication with Apache HTTP POST request using the URI constructor with one
+	 * argument.
 	 */
 	public void testApacheHttpRequest4(String username, String password) throws Exception {
 		String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
 		URI uri = new URI(uriStr);
 		HttpRequestBase post = new HttpPost(uri);
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
-		
+
 		String authString = username + ":" + password;
 		byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
 		String authStringEnc = new String(authEncBytes);
 
-		post.addHeader("Authorization", "Basic " + authStringEnc);
+		post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth
 	}
 
 	/**
-	 * Test basic authentication with Apache HTTP POST request using a URI constructor with multiple arguments.
+	 * Test basic authentication with Apache HTTP POST request using a URI constructor with multiple
+	 * arguments.
 	 */
 	public void testApacheHttpRequest5(String username, String password) throws Exception {
-		HttpRequestBase post = new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null));
+		HttpRequestBase post =
+				new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null));
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
-		
+
 		String authString = username + ":" + password;
 		byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
 		String authStringEnc = new String(authEncBytes);
 
-		post.addHeader("Authorization", "Basic " + authStringEnc);
+		post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth
 	}
 
 	/**
@@ -94,12 +98,12 @@ public void testApacheHttpRequest6(String username, String password) {
 		BasicHttpRequest post = new BasicHttpRequest("POST", uriStr);
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
-		
+
 		String authString = username + ":" + password;
 		byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
 		String authStringEnc = new String(authEncBytes);
 
-		post.addHeader("Authorization", "Basic " + authStringEnc);
+		post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth
 	}
 
 	/**
@@ -111,16 +115,17 @@ public void testApacheHttpRequest7(String username, String password) {
 		BasicHttpRequest post = new BasicHttpRequest(requestLine);
 		post.setHeader("Accept", "application/json");
 		post.setHeader("Content-type", "application/json");
-		
+
 		String authString = username + ":" + password;
 		byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
 		String authStringEnc = new String(authEncBytes);
 
-		post.addHeader("Authorization", "Basic " + authStringEnc);
+		post.addHeader("Authorization", "Basic " + authStringEnc); // $hasInsecureBasicAuth
 	}
 
 	/**
-	 * Test basic authentication with Java HTTP URL connection using the `URL(String spec)` constructor.
+	 * Test basic authentication with Java HTTP URL connection using the `URL(String spec)`
+	 * constructor.
 	 */
 	public void testHttpUrlConnection(String username, String password) throws Exception {
 		String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
@@ -130,11 +135,12 @@ public void testHttpUrlConnection(String username, String password) throws Excep
 		HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 		conn.setRequestMethod("POST");
 		conn.setDoOutput(true);
-		conn.setRequestProperty("Authorization", "Basic " + encoding);
+		conn.setRequestProperty("Authorization", "Basic " + encoding); // $hasInsecureBasicAuth
 	}
 
 	/**
-	 * Test basic authentication with Java HTTP URL connection using the `URL(String protocol, String host, String file)` constructor.
+	 * Test basic authentication with Java HTTP URL connection using the `URL(String protocol,
+	 * String host, String file)` constructor.
 	 */
 	public void testHttpUrlConnection2(String username, String password) throws Exception {
 		String host = "www.example.com";
@@ -146,7 +152,7 @@ public void testHttpUrlConnection2(String username, String password) throws Exce
 		HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 		conn.setRequestMethod("POST");
 		conn.setDoOutput(true);
-		conn.setRequestProperty("Authorization", "Basic " + encoding);
+		conn.setRequestProperty("Authorization", "Basic " + encoding); // $hasInsecureBasicAuth
 	}
 
 	/**
@@ -156,9 +162,10 @@ public void testHttpUrlConnection3(String username, String password) throws Exce
 		String host = "LOCALHOST";
 		String authString = username + ":" + password;
 		String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));
-		HttpURLConnection conn = (HttpURLConnection) new URL("http://"+(((host+"/rest/getuser.do")+"?uid=abcdx"))).openConnection();
+		HttpURLConnection conn = (HttpURLConnection) new URL(
+				"http://" + (((host + "/rest/getuser.do") + "?uid=abcdx"))).openConnection();
 		conn.setRequestMethod("POST");
 		conn.setDoOutput(true);
-		conn.setRequestProperty("Authorization", "Basic " + encoding);
+		conn.setRequestProperty("Authorization", "Basic " + encoding); // Safe
 	}
 }

java/ql/test/query-tests/security/CWE-522/InsecureBasicAuth.qlref

@@ -0,0 +1,32 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.InsecureBasicAuth
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "test:cwe:insecure-basic-auth" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof InsecureBasicAuthSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureBasicAuthSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(InsecureBasicAuthAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+class HasInsecureBasicAuthTest extends InlineExpectationsTest {
+  HasInsecureBasicAuthTest() { this = "HasInsecureBasicAuthTest" }
+
+  override string getARelevantTag() { result = "hasInsecureBasicAuth" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasInsecureBasicAuth" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}