Password in Java EE configuration files

Author: luchua-bc

java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.qhelp

@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Passwords stored in configuration files should be encrypted. Utilities provided by application servers like keystore and password vault can be used to encrypt and manage passwords.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      In the first example, the password of a datasource configuration is stored in cleartext in the context.xml file of a Java EE application.
+    </p>
+
+    <p>
+      In the second example, the password of a datasource configuration is encrypted and managed by a password vault.
+    </p>
+    <sample src="context.xml" />
+  </example>
+
+  <references>
+    <li>
+      CWE:
+      <a href="https://cwe.mitre.org/data/definitions/555.html">CWE-555: J2EE Misconfiguration: Plaintext Password in Configuration File</a>
+    </li>
+    <li>
+      RedHat Security Guide:
+      <a href="https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/6.1/html/security_guide/Store_and_Retrieve_Encrypted_Sensitive_Strings_in_the_Java_Keystore">STORE AND RETRIEVE ENCRYPTED SENSITIVE STRINGS IN THE JAVA KEYSTORE</a>
+    </li>
+    <li>
+      SonarSource:
+      <a href="https://rules.sonarsource.com/java/RSPEC-2068">Hard-coded credentials are security-sensitive</a>
+    </li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql

@@ -0,0 +1,37 @@
+/**
+ * @name Password in configuration file
+ * @description Finds passwords in configuration files.
+ * @kind problem
+ * @id java/password-in-configuration
+ * @tags security
+ *       external/cwe/cwe-555
+ *       external/cwe/cwe-256
+ *       external/cwe/cwe-260
+ */
+
+import java
+
+predicate isNotPassword(XMLAttribute a) {
+  a.getValue() = "" // Empty string
+  or
+  a.getValue().regexpMatch("\\$\\{.*\\}") // Variable placeholder ${password}
+  or
+  a.getValue().charAt(a.getValue().length() - 1) = "=" // A basic check of encrypted passwords ending with padding characters, which could be improved to be more accurate.
+}
+
+from XMLAttribute a
+where
+  a.getName().toLowerCase() in ["password", "pwd"] and not isNotPassword(a) // Attribute name "password" or "pwd"
+  or
+  exists(
+    XMLAttribute b // name/value pair like <property name="password" value="mysecret"/>
+  |
+    b.getElement() = a.getElement() and
+    a.getName().toLowerCase() = "name" and
+    a.getValue().toLowerCase() in ["password", "pwd"] and
+    b.getName().toLowerCase() = "value" and
+    not isNotPassword(b)
+  )
+  or
+  a.getValue().regexpMatch("(?is).*(pwd|password)\\s*=(?!\\s*;).*") // Attribute value matches password pattern
+select a, "Avoid plaintext passwords in configuration files."

java/ql/src/experimental/Security/CWE/CWE-555/context.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context>
+    <!-- BAD: Password of datasource is in not encrypted -->
+    <Resource name="jdbc/exampleDS" auth="Container" type="javax.sql.DataSource"
+               maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+               username="root" password="1234"
+               driverClassName="com.mysql.jdbc.Driver"
+               url="jdbc:mysql://www.example.com:3306/proj"/>
+
+    <!-- GOOD: Password is encrypted and stored in a password vault -->
+    <Resource name="jdbc/exampleDS" auth="Container" type="javax.sql.DataSource"
+               maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+               username="root" password="${VAULT::exampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}"
+               driverClassName="com.mysql.jdbc.Driver"
+               url="jdbc:mysql://www.example.com:3306/proj"/>
+
+</Context>

java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.expected

@@ -0,0 +1,2 @@
+| applicationContext.xml:11:6:11:50 | name=password | Avoid plaintext passwords in configuration files. |
+| context.xml:4:5:8:63 | password=1234 | Avoid plaintext passwords in configuration files. |

java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql

java/ql/test/experimental/query-tests/security/CWE-555/applicationContext.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+           http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
+	    <property name="driverClassName" value="com.mysql.jdbc.Driver"/>
+	    <property name="url" value="jdbc:mysql://www.example.com:3306/test"/>
+	    <property name="username" value="root"/>
+	    <property name="password" value="mysecret"/>
+		<property name="initialSize" value="30"/>
+		
+	 	<property name="maxActive" value="500"/> 
+		<property name="maxIdle" value="2"/>
+		<property name="minIdle" value="1"/>
+</bean>
+
+<bean id="sessionFactory"  class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
+     <property name="dataSource" ref="dataSource"/>
+     
+	    <property name="annotatedClasses">
+	       <list>
+	           <value>com.example.entity.Users</value>
+	        </list>
+	    </property>
+    
+     <property name="hibernateProperties">
+	    <value>
+	        	hibernate.dialect=org.hibernate.dialect.MySQLDialect
+	        	hibernate.hbm2ddl.auto=update
+				hibernate.show_sql=true
+				hibernate.cache.use_second_level_cache=false
+        	    hibernate.cache.provider_class=org.hibernate.cache.internal.NoCacheProvider
+        	    hibernate.generate_statistics=true	      
+	    </value>
+    </property>
+</bean>
+</beans>

java/ql/test/experimental/query-tests/security/CWE-555/context.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context>
+    <!-- BAD: Password of datasource is in not encrypted -->
+    <Resource name="jdbc/exampleDS1" auth="Container" type="javax.sql.DataSource"
+               maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+               username="root" password="1234"
+               driverClassName="com.mysql.jdbc.Driver"
+               url="jdbc:mysql://www.example1.com:3306/proj"/>
+
+    <!-- GOOD: Password is encrypted and stored in a password vault -->
+    <Resource name="jdbc/exampleDS2" auth="Container" type="javax.sql.DataSource"
+               maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+               username="root" password="${VAULT::exampleDS2::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}"
+               driverClassName="com.mysql.jdbc.Driver"
+               url="jdbc:mysql://www.example2.com:3306/proj"/>
+
+    <!-- GOOD: Password is not stored in the configuration file -->
+    <Resource name="jdbc/exampleDS3" auth="Container" type="javax.sql.DataSource"
+               maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+               username="root" password="${jdbc.password}"
+               driverClassName="com.mysql.jdbc.Driver"
+               url="jdbc:mysql://www.example3.com:3306/proj"/>
+
+    <!-- GOOD: Password is encrypted -->
+    <Resource name="jdbc/exampleDS4" auth="Container" type="javax.sql.DataSource"
+               maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+               username="root" password="Tg2Nn7wUZOQ6Xc+1lenkZTQ9ZDf9a2/RBRiqJBCIX6o="
+               driverClassName="com.mysql.jdbc.Driver"
+               url="jdbc:mysql://www.example4.com:3306/proj"/>
+               
+</Context>