Refactor HardcodedCredentialsApiCall.qll

egregius313 · egregius313 · commit 2698b61514b4 · 2023-03-29T22:33:08.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll
@@ -7,9 +7,11 @@ import semmle.code.java.dataflow.DataFlow
 import HardcodedCredentials
 
 /**
+ * DEPRECATED: Use `HardcodedCredentialApiCallFlow` instead.
+ *
  * A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
  */
-class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
+deprecated class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
   HardcodedCredentialApiCallConfiguration() { this = "HardcodedCredentialApiCallConfiguration" }
 
   override predicate isSource(DataFlow::Node n) {
@@ -52,3 +54,53 @@ class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
     n.asExpr().(MethodAccess).getMethod() instanceof MethodSystemGetenv
   }
 }
+
+/**
+ * A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
+ */
+private module HardcodedCredentialApiCallConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) {
+    n.asExpr() instanceof HardcodedExpr and
+    not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
+  }
+
+  predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.asExpr().getType() instanceof TypeString and
+    (
+      exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
+        node2.asExpr() = ma and
+        ma.getQualifier() = node1.asExpr()
+      )
+      or
+      // These base64 routines are usually taint propagators, and this is not a general
+      // TaintTracking::Configuration, so we must specifically include them here
+      // as a common transform applied to a constant before passing to a remote API.
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .hasQualifiedName([
+                "java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
+                "apache.commons.codec.binary", "org.springframework.util"
+              ], ["Base64$Encoder", "Base64$Decoder", "Base64", "Base64Utils"],
+              [
+                "encode", "encodeToString", "decode", "decodeBase64", "encodeBase64",
+                "encodeBase64Chunked", "encodeBase64String", "encodeBase64URLSafe",
+                "encodeBase64URLSafeString"
+              ])
+      |
+        node1.asExpr() = ma.getArgument(0) and
+        node2.asExpr() = ma
+      )
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod() instanceof MethodSystemGetenv
+  }
+}
+
+/**
+ * Tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
+ */
+module HardcodedCredentialApiCallFlow = DataFlow::Global<HardcodedCredentialApiCallConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -11,10 +11,9 @@
  */
 
 import semmle.code.java.security.HardcodedCredentialsApiCallQuery
-import DataFlow::PathGraph
+import HardcodedCredentialApiCallFlow::PathGraph
 
-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialApiCallConfiguration conf
-where conf.hasFlowPath(source, sink)
+from HardcodedCredentialApiCallFlow::PathNode source, HardcodedCredentialApiCallFlow::PathNode sink
+where HardcodedCredentialApiCallFlow::flowPath(source, sink)
 select source.getNode(), source, sink, "Hard-coded value flows to $@.", sink.getNode(),
   "sensitive API call"
diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.ql b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.ql
@@ -9,9 +9,7 @@ class HardcodedCredentialsApiCallTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "HardcodedCredentialsApiCall" and
-    exists(DataFlow::Node sink, HardcodedCredentialApiCallConfiguration conf |
-      conf.hasFlow(_, sink)
-    |
+    exists(DataFlow::Node sink | HardcodedCredentialApiCallFlow::flow(_, sink) |
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""
