Merge pull request github#3090 from luchua-bc/java-insert-sensitive-info-into-log

Java: CWE-532 sensitive info logging

Author: aschackmull

java/ql/src/experimental/CWE-532/SensitiveInfoLog.java

@@ -0,0 +1,18 @@
+public static void main(String[] args) {
+    {
+        private static final Logger logger = LogManager.getLogger(SensitiveInfoLog.class);
+
+        String password = "Pass@0rd";
+
+        // BAD: user password is written to debug log
+        logger.debug("User password is "+password);
+    }
+	
+    {
+        private static final Logger logger = LogManager.getLogger(SensitiveInfoLog.class);
+  
+        String password = "Pass@0rd";
+
+        // GOOD: user password is never written to debug log
+    }
+}

java/ql/src/experimental/CWE-532/SensitiveInfoLog.qhelp

@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Third-party logging utilities like Log4J and SLF4J are widely used in Java projects. When sensitive information is written to logs without properly set logging levels, it is accessible to potential attackers who can use it to gain access to
+file storage.</p>
+</overview>
+
+<recommendation>
+<p>Do not write secrets into the log files and enforce proper logging level control.</p>
+</recommendation>
+
+<example>
+<p>The following example shows two ways of logging sensitive information. In the 'BAD' case,
+the credentials are simply written to a debug log. In the 'GOOD' case, the credentials are never written to debug logs.</p>
+<sample src="SensitiveInfoLog.java" />
+</example>
+
+<references>
+<li>
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html">OWASP Logging Guide</a>
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql

@@ -0,0 +1,61 @@
+/**
+ * @id java/sensitiveinfo-in-logfile
+ * @name Insertion of sensitive information into log files
+ * @description Writing sensitive information to log files can give valuable guidance to an attacker or expose sensitive user information.
+ * @kind path-problem
+ * @tags security
+ *       external/cwe-532
+ */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import DataFlow
+import PathGraph
+
+/**
+ * Gets a regular expression for matching names of variables that indicate the value being held is a credential
+ */
+private string getACredentialRegex() {
+  result = "(?i).*pass(wd|word|code|phrase)(?!.*question).*" or
+  result = "(?i)(.*username|url).*"
+}
+
+/** Variable keeps sensitive information judging by its name * */
+class CredentialExpr extends Expr {
+  CredentialExpr() {
+    exists(Variable v | this = v.getAnAccess() | v.getName().regexpMatch(getACredentialRegex()))
+  }
+}
+
+/** Class of popular logging utilities * */
+class LoggerType extends RefType {
+  LoggerType() {
+    this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J
+    this.hasQualifiedName("org.slf4j", "Logger") //SLF4j and Gradle Logging
+  }
+}
+
+predicate isSensitiveLoggingSink(DataFlow::Node sink) {
+  exists(MethodAccess ma |
+    ma.getMethod().getDeclaringType() instanceof LoggerType and
+    (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and //Check low priority log levels which are more likely to be real issues to reduce false positives
+    sink.asExpr() = ma.getAnArgument()
+  )
+}
+
+class LoggerConfiguration extends DataFlow::Configuration {
+  LoggerConfiguration() { this = "Logger Configuration" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
+
+  override predicate isSink(DataFlow::Node sink) { isSensitiveLoggingSink(sink) }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    TaintTracking::localTaintStep(node1, node2)
+  }
+}
+
+from LoggerConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Outputting $@ to log.", source.getNode(),
+  "sensitive information"