Enhance the check for embedded passwords

luchua-bc · luchua-bc · commit b44f01a87b69 · 2020-12-17T03:47:38.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql b/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
@@ -11,12 +11,27 @@
 
 import java
 
-predicate isNotPassword(XMLAttribute a) {
-  a.getValue() = "" // Empty string
-  or
-  a.getValue().regexpMatch("\\$\\{.*\\}") // Variable placeholder ${password}
-  or
-  a.getValue().matches("%=") // A basic check of encrypted passwords ending with padding characters, which could be improved to be more accurate.
+/* Holds if the attribute value is not a cleartext password */
+predicate isNotPassword(XMLAttribute attr) {
+  exists(string value | value = attr.getValue().trim() |
+    value = "" // Empty string
+    or
+    value.regexpMatch("\\$\\{.*\\}") // Variable placeholder ${password}
+    or
+    value.matches("%=") // A basic check of encrypted passwords ending with padding characters, which could be improved to be more accurate.
+  )
+}
+
+/* Holds if the attribute value has an embedded password */
+predicate hasEmbeddedPassword(XMLAttribute attr) {
+  exists(string password |
+    password = attr.getValue().regexpCapture("(?is).*(pwd|password)\\s*=([^;:,]*).*", 2).trim() and
+    not (
+      password = "" or
+      password.regexpMatch("\\$\\{.*\\}") or
+      password.matches("%=")
+    )
+  )
 }
 
 from XMLAttribute nameAttr
@@ -33,5 +48,5 @@ where
     not isNotPassword(valueAttr)
   )
   or
-  nameAttr.getValue().regexpMatch("(?is).*(pwd|password)\\s*=(?!\\s*;).*") // Attribute value matches password pattern
+  hasEmbeddedPassword(nameAttr) // Attribute value matches password pattern
 select nameAttr, "Plaintext password in configuration file."
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.expected b/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.expected
@@ -1,2 +1,3 @@
 | applicationContext.xml:9:3:9:48 | name=password | Plaintext password in configuration file. |
 | context.xml:4:2:8:50 | password=1234 | Plaintext password in configuration file. |
+| custom-config.xml:3:2:3:137 | value=server=myoracle.example.com;port=1521;database=testdb;username=root;password=test1234 | Plaintext password in configuration file. |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/custom-config.xml b/java/ql/test/experimental/query-tests/security/CWE-555/custom-config.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<db-connections>
+	<db-connection name="oracleServerConn" value="server=myoracle.example.com;port=1521;database=testdb;username=root;password=test1234" /> 
+</db-connections>

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`\| applicationContext.xml:9:3:9:48 \| name=password \| Plaintext password in configuration file. \|`
`2`	`2`	`\| context.xml:4:2:8:50 \| password=1234 \| Plaintext password in configuration file. \|`
	`3`	`+\| custom-config.xml:3:2:3:137 \| value=server=myoracle.example.com;port=1521;database=testdb;username=root;password=test1234 \| Plaintext password in configuration file. \|`