Revamp the functions to have a string parameter

luchua-bc · luchua-bc · commit 7b44ee50ea0e · 2020-12-17T14:26:13.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql b/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
@@ -12,31 +12,28 @@
 import java
 
 /* Holds if the attribute value is not a cleartext password */
-predicate isNotPassword(XMLAttribute attr) {
-  exists(string value | value = attr.getValue().trim() |
-    value = "" // Empty string
-    or
-    value.regexpMatch("\\$\\{.*\\}") // Variable placeholder ${password}
-    or
-    value.matches("%=") // A basic check of encrypted passwords ending with padding characters, which could be improved to be more accurate.
-  )
+bindingset[value]
+predicate isNotPassword(string value) {
+  value = "" // Empty string
+  or
+  value.regexpMatch("\\$\\{.*\\}") // Variable placeholder ${password}
+  or
+  value.matches("%=") // A basic check of encrypted passwords ending with padding characters, which could be improved to be more accurate.
 }
 
 /* Holds if the attribute value has an embedded password */
-predicate hasEmbeddedPassword(XMLAttribute attr) {
+bindingset[value]
+predicate hasEmbeddedPassword(string value) {
   exists(string password |
-    password = attr.getValue().regexpCapture("(?is).*(pwd|password)\\s*=([^;:,]*).*", 2).trim() and
-    not (
-      password = "" or
-      password.regexpMatch("\\$\\{.*\\}") or
-      password.matches("%=")
-    )
+    password = value.regexpCapture("(?is).*(pwd|password)\\s*=([^;:,]*).*", 2).trim() and
+    not isNotPassword(password)
   )
 }
 
 from XMLAttribute nameAttr
 where
-  nameAttr.getName().toLowerCase() in ["password", "pwd"] and not isNotPassword(nameAttr) // Attribute name "password" or "pwd"
+  nameAttr.getName().toLowerCase() in ["password", "pwd"] and
+  not isNotPassword(nameAttr.getValue().trim()) // Attribute name "password" or "pwd"
   or
   exists(
     XMLAttribute valueAttr // name/value pair like <property name="password" value="mysecret"/>
@@ -45,8 +42,8 @@ where
     nameAttr.getName().toLowerCase() = "name" and
     nameAttr.getValue().toLowerCase() in ["password", "pwd"] and
     valueAttr.getName().toLowerCase() = "value" and
-    not isNotPassword(valueAttr)
+    not isNotPassword(valueAttr.getValue().trim())
   )
   or
-  hasEmbeddedPassword(nameAttr) // Attribute value matches password pattern
+  hasEmbeddedPassword(nameAttr.getValue().trim()) // Attribute value matches password pattern
 select nameAttr, "Plaintext password in configuration file."
