Specifically include Base64 encode/decode as a likely intermediate step for hardcoded credentials

Author: smowton

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql

@@ -34,7 +34,24 @@ class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
         ma.getQualifier() = node1.asExpr()
       )
       or
-      FlowSummaryImpl::Private::Steps::summaryThroughStep(node1, node2, false)
+      // These base64 routines are usually taint propagators, and this is not a general
+      // TaintTracking::Configuration, so we must specifically include them here
+      // as a common transform applied to a constant before passing to a remote API.
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .hasQualifiedName([
+                "java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
+                "apache.commons.codec.binary", "org.springframework.util"
+              ], ["Base64$Encoder", "Base64$Decoder", "Base64", "Base64Utils"],
+              [
+                "encode", "encodeToString", "decode", "decodeBase64", "encodeBase64",
+                "encodeBase64Chunked", "encodeBase64String", "encodeBase64URLSafe",
+                "encodeBase64URLSafeString"
+              ])
+      |
+        node1.asExpr() = ma.getArgument(0) and
+        node2.asExpr() = ma
+      )
     )
   }