Extendign password variable detection with patterns and antipatterns from C# query (#59)

denislevin · web-flow · commit baee3a3db313 · 2024-03-27T12:50:52.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll
@@ -66,15 +66,16 @@ class CredentialsApiSink extends CredentialsSink {
  */
 class PasswordVariable extends Variable {
   PasswordVariable() {
-    this.getName().regexpMatch("(?i)(encrypted|old|new)?pass(wd|word|code|phrase)(chars|value)?")
+    this.getName().regexpMatch("(?i).*pass(w|wd|wrd|word|code|phrase|key|_)(chars|value)?(?!.*(size|length|question|path|prompt)).*") or
+    this.getName().regexpMatch("(?i)pwd")
   }
 }
 
 /**
  * A variable whose name indicates that it may hold a user name.
  */
 class UsernameVariable extends Variable {
-  UsernameVariable() { this.getName().regexpMatch("(?i)(user|username)") }
+  UsernameVariable() { this.getName().regexpMatch("(?i)(puid|user|username|userid)(?!.*(characters|claimtype)).*") }
 }
 
 /**
diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-798/semmle/tests/Test.java
@@ -8,6 +8,7 @@ public static void main(String[] args) throws SQLException {
 		String url = "jdbc:mysql://localhost/test";
 		String usr = "admin"; // hard-coded user name (flow source)
 		String pass = "123456"; // hard-coded password (flow source)
+		String pwd = "myPassword"; // hard-coded password (flow source)
 
 		test(url, usr, pass); // flow through method
 
@@ -26,12 +27,18 @@ public static void main(String[] args) throws SQLException {
 		passwordCheck(pass); // $ HardcodedCredentialsSourceCall
 	}
 
-	public static void test(String url, String user, String password) throws SQLException {
-		DriverManager.getConnection(url, user, password); // $ HardcodedCredentialsApiCall
+	public static void test(String url, String user, String v) throws SQLException {
+		DriverManager.getConnection(url, user, v); // $ HardcodedCredentialsApiCall
 	}
 
 	public static final String password = "myOtherPassword"; // $ HardcodedPasswordField
 
+	public static final String pwd = "myOtherPassword"; // $ HardcodedPasswordField
+
+	public static final String hard_coded_passphrase_chars = "MyPassPhrase"; // $ HardcodedPasswordField
+
+	public static final String password_question = "What is your password?"; // Good: not a password
+
 	public static boolean passwordCheck(String password) {
 		return password.equals("admin"); // $ HardcodedCredentialsComparison
 	}

Original file line number	Diff line number	Diff line change
`@@ -66,15 +66,16 @@ class CredentialsApiSink extends CredentialsSink {`
`66`	`66`	`*/`
`67`	`67`	`class PasswordVariable extends Variable {`
`68`	`68`	`PasswordVariable() {`
`69`		`- this.getName().regexpMatch("(?i)(encrypted\|old\|new)?pass(wd\|word\|code\|phrase)(chars\|value)?")`
	`69`	`+ this.getName().regexpMatch("(?i).pass(w\|wd\|wrd\|word\|code\|phrase\|key\|_)(chars\|value)?(?!.(size\|length\|question\|path\|prompt)).*") or`
	`70`	`+ this.getName().regexpMatch("(?i)pwd")`
`70`	`71`	`}`
`71`	`72`	`}`
`72`	`73`
`73`	`74`	`/**`
`74`	`75`	`* A variable whose name indicates that it may hold a user name.`
`75`	`76`	`*/`
`76`	`77`	`class UsernameVariable extends Variable {`
`77`		`- UsernameVariable() { this.getName().regexpMatch("(?i)(user\|username)") }`
	`78`	`+ UsernameVariable() { this.getName().regexpMatch("(?i)(puid\|user\|username\|userid)(?!.(characters\|claimtype)).") }`
`78`	`79`	`}`
`79`	`80`
`80`	`81`	`/**`