detects a hard-coded cipher key for shiro

Author: x-f1v3

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql

@@ -27,9 +27,9 @@ class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
 
   override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     node1.asExpr().getType() instanceof TypeString and
-    exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
+    exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray","decode"]) |
       node2.asExpr() = ma and
-      ma.getQualifier() = node1.asExpr()
+      (ma.getQualifier() = node1.asExpr() or ma.getAnArgument() = node1.asExpr())
     )
   }
 

java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll

@@ -490,7 +490,8 @@ private predicate javaApiCallableCryptoKeyParam(string s) {
   s = "sun.security.provider.JavaKeyStore;engineSetKeyEntry(String, byte[], Certificate[]);1" or
   s = "sun.security.tools.keytool.Main;recoverKey(String, char[], char[]);2" or
   s = "sun.security.tools.keytool.Main;getKeyPasswd(String, String, char[]);2" or
-  s = "sun.security.x509.X509Key;decode(byte[]);0"
+  s = "sun.security.x509.X509Key;decode(byte[]);0" or
+  s = "org.apache.shiro.mgt.AbstractRememberMeManager;setCipherKey(byte[]);0"
 }
 
 /**

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected

@@ -26,6 +26,8 @@ edges
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
 | HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String |
+| HardcodedShiroKey.java:8:46:8:54 | "TEST123" : String | HardcodedShiroKey.java:8:46:8:65 | getBytes(...) |
+| HardcodedShiroKey.java:16:60:16:85 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:16:46:16:86 | decode(...) |
 | Test.java:9:16:9:22 | "admin" : String | Test.java:12:13:12:15 | usr : String |
 | Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr |
 | Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr |
@@ -76,6 +78,10 @@ nodes
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
 | HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
+| HardcodedShiroKey.java:8:46:8:54 | "TEST123" : String | semmle.label | "TEST123" : String |
+| HardcodedShiroKey.java:8:46:8:65 | getBytes(...) | semmle.label | getBytes(...) |
+| HardcodedShiroKey.java:16:46:16:86 | decode(...) | semmle.label | decode(...) |
+| HardcodedShiroKey.java:16:60:16:85 | "4AvVhmFLUs0KTA3Kprsdag==" : String | semmle.label | "4AvVhmFLUs0KTA3Kprsdag==" : String |
 | Test.java:9:16:9:22 | "admin" : String | semmle.label | "admin" : String |
 | Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
 | Test.java:12:13:12:15 | usr : String | semmle.label | usr : String |
@@ -110,6 +116,8 @@ subpaths
 | HardcodedAzureCredentials.java:10:34:10:67 | "[email protected]" | HardcodedAzureCredentials.java:10:34:10:67 | "[email protected]" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive API call |
 | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive API call |
 | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | sensitive API call |
+| HardcodedShiroKey.java:8:46:8:54 | "TEST123" | HardcodedShiroKey.java:8:46:8:54 | "TEST123" : String | HardcodedShiroKey.java:8:46:8:65 | getBytes(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:8:46:8:65 | getBytes(...) | sensitive API call |
+| HardcodedShiroKey.java:16:60:16:85 | "4AvVhmFLUs0KTA3Kprsdag==" | HardcodedShiroKey.java:16:60:16:85 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:16:46:16:86 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:16:46:16:86 | decode(...) | sensitive API call |
 | Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr | Hard-coded value flows to $@. | Test.java:15:36:15:38 | usr | sensitive API call |
 | Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr | Hard-coded value flows to $@. | Test.java:17:39:17:41 | usr | sensitive API call |
 | Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr | Hard-coded value flows to $@. | Test.java:18:39:18:41 | usr | sensitive API call |

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedShiroKey.java

@@ -0,0 +1,42 @@
+import org.apache.shiro.web.mgt.CookieRememberMeManager;
+
+public class HardcodedShiroKey {
+
+    //BAD: hard-coded shiro key
+	public void testHardcodedShiroKey(String input) {
+		CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
+        cookieRememberMeManager.setCipherKey("TEST123".getBytes());
+
+	}
+
+	
+	//BAD: hard-coded shiro key 
+	public void testHardcodedbase64ShiroKey(String input) {
+		CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
+        cookieRememberMeManager.setCipherKey(Base64.decode("4AvVhmFLUs0KTA3Kprsdag=="));
+
+	}
+
+	//GOOD: random shiro key
+	public void testRandomShiroKey(String input) {
+		CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
+	}
+
+
+
+	static class Base64 {
+
+		static byte[] decode(String str){
+
+			byte[] x = new byte[1024];
+
+			return x;
+
+		}
+
+	}
+
+
+
+
+}

java/ql/test/query-tests/security/CWE-798/semmle/tests/options

@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0