Merge pull request github#3487 from luchua-bc/java-sensitive-jboss-logging

aschackmull · web-flow · commit 6f03a0bc39f4 · 2020-05-19T11:04:18.000+02:00
Add JBoss logging
diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql
@@ -16,7 +16,7 @@ import PathGraph
  * Gets a regular expression for matching names of variables that indicate the value being held is a credential
  */
 private string getACredentialRegex() {
-  result = "(?i).*pass(wd|word|code|phrase)(?!.*question).*" or
+  result = "(?i).*challenge|pass(wd|word|code|phrase)(?!.*question).*" or
   result = "(?i)(.*username|url).*"
 }
 
@@ -31,14 +31,19 @@ class CredentialExpr extends Expr {
 class LoggerType extends RefType {
   LoggerType() {
     this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J
-    this.hasQualifiedName("org.slf4j", "Logger") //SLF4j and Gradle Logging
+    this.hasQualifiedName("org.slf4j", "Logger") or //SLF4j and Gradle Logging
+    this.hasQualifiedName("org.jboss.logging", "BasicLogger") //JBoss Logging
   }
 }
 
 predicate isSensitiveLoggingSink(DataFlow::Node sink) {
   exists(MethodAccess ma |
     ma.getMethod().getDeclaringType() instanceof LoggerType and
-    (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and //Check low priority log levels which are more likely to be real issues to reduce false positives
+    (
+      ma.getMethod().hasName("debug") or
+      ma.getMethod().hasName("trace") or
+      ma.getMethod().hasName("debugf")
+    ) and //Check low priority log levels which are more likely to be real issues to reduce false positives
     sink.asExpr() = ma.getAnArgument()
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ import PathGraph`
`16`	`16`	`* Gets a regular expression for matching names of variables that indicate the value being held is a credential`
`17`	`17`	`*/`
`18`	`18`	`private string getACredentialRegex() {`
`19`		`- result = "(?i).pass(wd\|word\|code\|phrase)(?!.question).*" or`
	`19`	`+ result = "(?i).challenge\|pass(wd\|word\|code\|phrase)(?!.question).*" or`
`20`	`20`	`result = "(?i)(.username\|url)."`
`21`	`21`	`}`
`22`	`22`
`@@ -31,14 +31,19 @@ class CredentialExpr extends Expr {`
`31`	`31`	`class LoggerType extends RefType {`
`32`	`32`	`LoggerType() {`
`33`	`33`	`this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J`
`34`		`- this.hasQualifiedName("org.slf4j", "Logger") //SLF4j and Gradle Logging`
	`34`	`+ this.hasQualifiedName("org.slf4j", "Logger") or //SLF4j and Gradle Logging`
	`35`	`+ this.hasQualifiedName("org.jboss.logging", "BasicLogger") //JBoss Logging`
`35`	`36`	`}`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`predicate isSensitiveLoggingSink(DataFlow::Node sink) {`
`39`	`40`	`exists(MethodAccess ma \|`
`40`	`41`	`ma.getMethod().getDeclaringType() instanceof LoggerType and`
`41`		`- (ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace")) and //Check low priority log levels which are more likely to be real issues to reduce false positives`
	`42`	`+ (`
	`43`	`+ ma.getMethod().hasName("debug") or`
	`44`	`+ ma.getMethod().hasName("trace") or`
	`45`	`+ ma.getMethod().hasName("debugf")`
	`46`	`+ ) and //Check low priority log levels which are more likely to be real issues to reduce false positives`
`42`	`47`	`sink.asExpr() = ma.getAnArgument()`
`43`	`48`	`)`
`44`	`49`	`}`