Skip to content

Commit 87b54e6

Browse files
atorralbaatorralba
authored
Merge pull request github#12178 from felickz/main
Java - Adding support for com.microsoft.sqlserver.jdbc.SQLServerDataSource to CWE-798
2 parents 180246b + f3124d3 commit 87b54e6

File tree

19 files changed

+605
-2
lines changed

19 files changed

+605
-2
lines changed

java/ql/lib/change-notes/2023-02-15-mssql-jdbc-hardcoded-credential-api.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* The query `java/hardcoded-credential-api-call` now recognizes methods that accept user and password from the SQLServerDataSource class of the Microsoft JDBC Driver for SQL Server.

java/ql/lib/semmle/code/java/security/SensitiveApi.qll

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -485,6 +485,10 @@ private predicate otherApiCallableCredentialParam(string s) {
485485
"com.mongodb.MongoCredential;createCredential(String, String, char[]);2",
486486
"com.mongodb.MongoCredential;createMongoCRCredential(String, String, char[]);2",
487487
"com.mongodb.MongoCredential;createPlainCredential(String, String, char[]);2",
488-
"com.mongodb.MongoCredential;createScramSha1Credential(String, String, char[]);2"
488+
"com.mongodb.MongoCredential;createScramSha1Credential(String, String, char[]);2",
489+
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;setUser(String);0",
490+
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;setPassword(String);0",
491+
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);0",
492+
"com.microsoft.sqlserver.jdbc.SQLServerDataSource;getConnection(String, String);1",
489493
]
490494
}

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedMSSQLCredentials.java

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
import com.microsoft.sqlserver.jdbc.SQLServerDataSource;
2+
3+
public class HardcodedMSSQLCredentials {
4+
public static void main(SQLServerDataSource ds) throws Exception {
5+
ds.setUser("Username"); // $ HardcodedCredentialsApiCall
6+
ds.setPassword("password"); // $ HardcodedCredentialsApiCall
7+
ds.getConnection("Username", null); // $ HardcodedCredentialsApiCall
8+
ds.getConnection(null, "password"); // $ HardcodedCredentialsApiCall
9+
}
10+
}

java/ql/test/query-tests/security/CWE-798/semmle/tests/options

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient
1+
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0

java/ql/test/stubs/mssql-jdbc-12.2.0/com/microsoft/sqlserver/jdbc/ISQLServerDataSource.java

Lines changed: 166 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/mssql-jdbc-12.2.0/com/microsoft/sqlserver/jdbc/SQLServerAccessTokenCallback.java

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/mssql-jdbc-12.2.0/com/microsoft/sqlserver/jdbc/SQLServerDataSource.java

Lines changed: 185 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)