hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add stubs and tests for new hardcoded-credential sinks

Browse Source
This commit is contained in:
Chris Smowton
2022-05-30 20:41:17 +01:00
parent 60e0f09586
commit 0a6ccbca45
231 changed files with 5520 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheFtpCredentials.java Normal file
View File

@@ -0,0 +1,13 @@
import org.apache.commons.net.ftp.FTPClient;
import java.io.IOException;
public class HardcodedApacheFtpCredentials {
public static void main(FTPClient client) {
// BAD: Hardcoded credentials used for the session username and/or password.
try {
client.login("username", "password");
client.login("username", "password", "blah");
} catch(IOException e) { }
}
}

12
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheSshdCredentials.java Normal file
View File

@@ -0,0 +1,12 @@
import org.apache.sshd.client.SshClient;
import org.apache.sshd.client.session.AbstractClientSession;
import java.io.IOException;
public class HardcodedApacheSshdCredentials {
public static void main(SshClient client, AbstractClientSession session) {
// BAD: Hardcoded credentials used for the session username and/or password.
client.connect("Username", "hostname", 22);
client.connect("Username", null);
session.addPasswordIdentity("password");
}
}

96
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected
View File

@@ -27,9 +27,16 @@ edges
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String |
| HardcodedJschCredentials.java:13:28:13:37 | "password" : String | HardcodedJschCredentials.java:13:28:13:48 | getBytes(...) |
| HardcodedMongoCredentials.java:5:58:5:67 | "password" : String | HardcodedMongoCredentials.java:5:58:5:81 | toCharArray(...) |
| HardcodedMongoCredentials.java:6:65:6:74 | "password" : String | HardcodedMongoCredentials.java:6:65:6:88 | toCharArray(...) |
| HardcodedMongoCredentials.java:7:63:7:72 | "password" : String | HardcodedMongoCredentials.java:7:63:7:86 | toCharArray(...) |
| HardcodedMongoCredentials.java:8:67:8:76 | "password" : String | HardcodedMongoCredentials.java:8:67:8:90 | toCharArray(...) |
| HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) |
| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:18:46:18:87 | decode(...) |
| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | HardcodedShiroKey.java:26:46:26:109 | decode(...) |
| HardcodedSshjCredentials.java:9:39:9:48 | "password" : String | HardcodedSshjCredentials.java:9:39:9:62 | toCharArray(...) |
| HardcodedTrileadSshCredentials.java:15:50:15:54 | "key" : String | HardcodedTrileadSshCredentials.java:15:50:15:68 | toCharArray(...) |
| Test.java:9:16:9:22 | "admin" : String | Test.java:12:13:12:15 | usr : String |
| Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr |
| Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr |
@@ -63,6 +70,11 @@ nodes
| FileCredentialTest.java:23:36:23:36 | v | semmle.label | v |
| HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | semmle.label | "ACCESS_KEY" |
| HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | semmle.label | "SECRET_KEY" |
| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | semmle.label | "username" |
| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | semmle.label | "password" |
| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | semmle.label | "username" |
| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | semmle.label | "password" |
| HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | semmle.label | "password" |
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
@@ -81,12 +93,55 @@ nodes
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | semmle.label | "username" |
| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | semmle.label | "password" |
| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | semmle.label | "Username" |
| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | semmle.label | "password" |
| HardcodedJschCredentials.java:10:41:10:50 | "Username" | semmle.label | "Username" |
| HardcodedJschCredentials.java:11:42:11:51 | "Username" | semmle.label | "Username" |
| HardcodedJschCredentials.java:12:27:12:36 | "password" | semmle.label | "password" |
| HardcodedJschCredentials.java:13:28:13:37 | "password" : String | semmle.label | "password" : String |
| HardcodedJschCredentials.java:13:28:13:48 | getBytes(...) | semmle.label | getBytes(...) |
| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | semmle.label | "Username" |
| HardcodedMongoCredentials.java:5:58:5:67 | "password" : String | semmle.label | "password" : String |
| HardcodedMongoCredentials.java:5:58:5:81 | toCharArray(...) | semmle.label | toCharArray(...) |
| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | semmle.label | "Username" |
| HardcodedMongoCredentials.java:6:65:6:74 | "password" : String | semmle.label | "password" : String |
| HardcodedMongoCredentials.java:6:65:6:88 | toCharArray(...) | semmle.label | toCharArray(...) |
| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | semmle.label | "Username" |
| HardcodedMongoCredentials.java:7:63:7:72 | "password" : String | semmle.label | "password" : String |
| HardcodedMongoCredentials.java:7:63:7:86 | toCharArray(...) | semmle.label | toCharArray(...) |
| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | semmle.label | "Username" |
| HardcodedMongoCredentials.java:8:67:8:76 | "password" : String | semmle.label | "password" : String |
| HardcodedMongoCredentials.java:8:67:8:90 | toCharArray(...) | semmle.label | toCharArray(...) |
| HardcodedMongoCredentials.java:9:44:9:48 | "key" | semmle.label | "key" |
| HardcodedMongoCredentials.java:10:47:10:51 | "key" | semmle.label | "key" |
| HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | semmle.label | "TEST123" : String |
| HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | semmle.label | getBytes(...) |
| HardcodedShiroKey.java:18:46:18:87 | decode(...) | semmle.label | decode(...) |
| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | semmle.label | "4AvVhmFLUs0KTA3Kprsdag==" : String |
| HardcodedShiroKey.java:26:46:26:109 | decode(...) | semmle.label | decode(...) |
| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | semmle.label | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String |
| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
| HardcodedSshjCredentials.java:8:37:8:46 | "password" | semmle.label | "password" |
| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | semmle.label | "Username" |
| HardcodedSshjCredentials.java:9:39:9:48 | "password" : String | semmle.label | "password" : String |
| HardcodedSshjCredentials.java:9:39:9:62 | toCharArray(...) | semmle.label | toCharArray(...) |
| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | semmle.label | "password" |
| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | semmle.label | "password" |
| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | semmle.label | "key" |
| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:15:50:15:54 | "key" : String | semmle.label | "key" : String |
| HardcodedTrileadSshCredentials.java:15:50:15:68 | toCharArray(...) | semmle.label | toCharArray(...) |
| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | semmle.label | "password" |
| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | semmle.label | "password" |
| Test.java:9:16:9:22 | "admin" : String | semmle.label | "admin" : String |
| Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
| Test.java:12:13:12:15 | usr : String | semmle.label | usr : String |
@@ -118,12 +173,53 @@ subpaths
| FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | Hard-coded value flows to $@. | FileCredentialTest.java:18:35:18:41 | "admin" | sensitive API call |
| HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | sensitive API call |
| HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | sensitive API call |
| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | sensitive API call |
| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | sensitive API call |
| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | sensitive API call |
| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | sensitive API call |
| HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | Hard-coded value flows to $@. | HardcodedApacheSshdCredentials.java:10:33:10:42 | "password" | sensitive API call |
| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive API call |
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive API call |
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | sensitive API call |
| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | sensitive API call |
| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | sensitive API call |
| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | sensitive API call |
| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | sensitive API call |
| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | sensitive API call |
| HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:10:41:10:50 | "Username" | sensitive API call |
| HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:11:42:11:51 | "Username" | sensitive API call |
| HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:12:27:12:36 | "password" | sensitive API call |
| HardcodedJschCredentials.java:13:28:13:37 | "password" | HardcodedJschCredentials.java:13:28:13:37 | "password" : String | HardcodedJschCredentials.java:13:28:13:48 | getBytes(...) | Hard-coded value flows to $@. | HardcodedJschCredentials.java:13:28:13:48 | getBytes(...) | sensitive API call |
| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | sensitive API call |
| HardcodedMongoCredentials.java:5:58:5:67 | "password" | HardcodedMongoCredentials.java:5:58:5:67 | "password" : String | HardcodedMongoCredentials.java:5:58:5:81 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:5:58:5:81 | toCharArray(...) | sensitive API call |
| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | sensitive API call |
| HardcodedMongoCredentials.java:6:65:6:74 | "password" | HardcodedMongoCredentials.java:6:65:6:74 | "password" : String | HardcodedMongoCredentials.java:6:65:6:88 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:6:65:6:88 | toCharArray(...) | sensitive API call |
| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | sensitive API call |
| HardcodedMongoCredentials.java:7:63:7:72 | "password" | HardcodedMongoCredentials.java:7:63:7:72 | "password" : String | HardcodedMongoCredentials.java:7:63:7:86 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:7:63:7:86 | toCharArray(...) | sensitive API call |
| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | sensitive API call |
| HardcodedMongoCredentials.java:8:67:8:76 | "password" | HardcodedMongoCredentials.java:8:67:8:76 | "password" : String | HardcodedMongoCredentials.java:8:67:8:90 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:8:67:8:90 | toCharArray(...) | sensitive API call |
| HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:9:44:9:48 | "key" | sensitive API call |
| HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:10:47:10:51 | "key" | sensitive API call |
| HardcodedShiroKey.java:9:46:9:54 | "TEST123" | HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | sensitive API call |
| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" | HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:18:46:18:87 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:18:46:18:87 | decode(...) | sensitive API call |
| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" | HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | HardcodedShiroKey.java:26:46:26:109 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:26:46:26:109 | decode(...) | sensitive API call |
| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | sensitive API call |
| HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:37:8:46 | "password" | sensitive API call |
| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | sensitive API call |
| HardcodedSshjCredentials.java:9:39:9:48 | "password" | HardcodedSshjCredentials.java:9:39:9:48 | "password" : String | HardcodedSshjCredentials.java:9:39:9:62 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:9:39:9:62 | toCharArray(...) | sensitive API call |
| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | sensitive API call |
| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | sensitive API call |
| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | sensitive API call |
| HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:44:11:53 | "password" | sensitive API call |
| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | sensitive API call |
| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | sensitive API call |
| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | sensitive API call |
| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | sensitive API call |
| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | sensitive API call |
| HardcodedTrileadSshCredentials.java:15:50:15:54 | "key" | HardcodedTrileadSshCredentials.java:15:50:15:54 | "key" : String | HardcodedTrileadSshCredentials.java:15:50:15:68 | toCharArray(...) | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:50:15:68 | toCharArray(...) | sensitive API call |
| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | sensitive API call |
| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | sensitive API call |
| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | sensitive API call |
| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr | Hard-coded value flows to $@. | Test.java:15:36:15:38 | usr | sensitive API call |
| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr | Hard-coded value flows to $@. | Test.java:17:39:17:41 | usr | sensitive API call |
| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr | Hard-coded value flows to $@. | Test.java:18:39:18:41 | usr | sensitive API call |

64
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected
View File

@@ -15,6 +15,10 @@ edges
| User.java:2:30:2:39 | DEFAULT_PW : String | User.java:5:15:5:24 | DEFAULT_PW |
| User.java:2:43:2:50 | "123456" : String | User.java:2:30:2:39 | DEFAULT_PW : String |
nodes
| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | semmle.label | "username" |
| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | semmle.label | "password" |
| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | semmle.label | "username" |
| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | semmle.label | "password" |
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
@@ -29,6 +33,34 @@ nodes
| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | semmle.label | "username" |
| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | semmle.label | "password" |
| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | semmle.label | "Username" |
| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | semmle.label | "password" |
| HardcodedJschCredentials.java:10:41:10:50 | "Username" | semmle.label | "Username" |
| HardcodedJschCredentials.java:11:42:11:51 | "Username" | semmle.label | "Username" |
| HardcodedJschCredentials.java:12:27:12:36 | "password" | semmle.label | "password" |
| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | semmle.label | "Username" |
| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | semmle.label | "Username" |
| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | semmle.label | "Username" |
| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | semmle.label | "Username" |
| HardcodedMongoCredentials.java:9:44:9:48 | "key" | semmle.label | "key" |
| HardcodedMongoCredentials.java:10:47:10:51 | "key" | semmle.label | "key" |
| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | semmle.label | "Username" |
| HardcodedSshjCredentials.java:8:37:8:46 | "password" | semmle.label | "password" |
| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | semmle.label | "password" |
| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | semmle.label | "key" |
| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | semmle.label | "password" |
| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | semmle.label | "Username" |
| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | semmle.label | "password" |
| Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
| Test.java:26:17:26:20 | pass | semmle.label | pass |
| User.java:2:30:2:39 | DEFAULT_PW : String | semmle.label | DEFAULT_PW : String |
@@ -36,7 +68,39 @@ nodes
| User.java:5:15:5:24 | DEFAULT_PW | semmle.label | DEFAULT_PW |
subpaths
#select
| HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:20:9:29 | "username" | sensitive call |
| HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:9:32:9:41 | "password" | sensitive call |
| HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:20:10:29 | "username" | sensitive call |
| HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | Hard-coded value flows to $@. | HardcodedApacheFtpCredentials.java:10:32:10:41 | "password" | sensitive call |
| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive call |
| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive call |
| HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:35:8:44 | "username" | sensitive call |
| HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | Hard-coded value flows to $@. | HardcodedGanymedSsh2Credentials.java:8:47:8:56 | "password" | sensitive call |
| HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:7:25:7:34 | "Username" | sensitive call |
| HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:8:25:8:34 | "Username" | sensitive call |
| HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | Hard-coded value flows to $@. | HardcodedJ2sshCredentials.java:9:25:9:34 | "password" | sensitive call |
| HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | HardcodedJschCredentials.java:10:41:10:50 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:10:41:10:50 | "Username" | sensitive call |
| HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | HardcodedJschCredentials.java:11:42:11:51 | "Username" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:11:42:11:51 | "Username" | sensitive call |
| HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | HardcodedJschCredentials.java:12:27:12:36 | "password" | Hard-coded value flows to $@. | HardcodedJschCredentials.java:12:27:12:36 | "password" | sensitive call |
| HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:5:38:5:47 | "Username" | sensitive call |
| HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:6:45:6:54 | "Username" | sensitive call |
| HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:7:43:7:52 | "Username" | sensitive call |
| HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:8:47:8:56 | "Username" | sensitive call |
| HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | HardcodedMongoCredentials.java:9:44:9:48 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:9:44:9:48 | "key" | sensitive call |
| HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | HardcodedMongoCredentials.java:10:47:10:51 | "key" | Hard-coded value flows to $@. | HardcodedMongoCredentials.java:10:47:10:51 | "key" | sensitive call |
| HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:25:8:34 | "Username" | sensitive call |
| HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | HardcodedSshjCredentials.java:8:37:8:46 | "password" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:8:37:8:46 | "password" | sensitive call |
| HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | Hard-coded value flows to $@. | HardcodedSshjCredentials.java:9:27:9:36 | "Username" | sensitive call |
| HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:37:10:46 | "Username" | sensitive call |
| HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:10:49:10:58 | "password" | sensitive call |
| HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:32:11:41 | "Username" | sensitive call |
| HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:11:56:11:60 | "key" | sensitive call |
| HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:12:33:12:42 | "Username" | sensitive call |
| HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:13:36:13:45 | "Username" | sensitive call |
| HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:14:34:14:43 | "Username" | sensitive call |
| HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:38:15:47 | "Username" | sensitive call |
| HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:15:71:15:80 | "password" | sensitive call |
| HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:38:16:47 | "Username" | sensitive call |
| HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | Hard-coded value flows to $@. | HardcodedTrileadSshCredentials.java:16:62:16:71 | "password" | sensitive call |
| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass | Hard-coded value flows to $@. | Test.java:26:17:26:20 | pass | sensitive call |
| User.java:2:43:2:50 | "123456" | User.java:2:43:2:50 | "123456" : String | User.java:5:15:5:24 | DEFAULT_PW | Hard-coded value flows to $@. | User.java:5:15:5:24 | DEFAULT_PW | sensitive call |

11
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedGanymedSsh2Credentials.java Normal file
View File

@@ -0,0 +1,11 @@
import ch.ethz.ssh2.Connection;
import java.io.IOException;
public class HardcodedGanymedSsh2Credentials {
public static void main(Connection conn) {
// BAD: Hardcoded credentials used for the session username and/or password.
try {
conn.authenticateWithPassword("username", "password");
} catch(IOException e) { }
}
}

11
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJ2sshCredentials.java Normal file
View File

@@ -0,0 +1,11 @@
import com.sshtools.j2ssh.authentication.SshAuthenticationClient;
import com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;
public class HardcodedJ2sshCredentials {
public static void main(SshAuthenticationClient client1, PasswordAuthenticationClient client2) {
// BAD: Hardcoded credentials used for the session username and/or password.
client1.setUsername("Username");
client2.setUsername("Username");
client2.setPassword("password");
}
}

16
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJschCredentials.java Normal file
View File

@@ -0,0 +1,16 @@
import com.jcraft.jsch.JSch;
import com.jcraft.jsch.JSchException;
import com.jcraft.jsch.Session;
import java.io.IOException;
public class HardcodedJschCredentials {
public static void main(JSch jsch) {
// BAD: Hardcoded credentials used for the session username and/or password.
try {
Session session = jsch.getSession("Username", "hostname");
Session session2 = jsch.getSession("Username", "hostname", 22);
session.setPassword("password");
session2.setPassword("password".getBytes());
} catch(JSchException e) { }
}
}

12
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedMongoCredentials.java Normal file
View File

@@ -0,0 +1,12 @@
import com.mongodb.MongoCredential;
public class HardcodedMongoCredentials {
public static void test() {
MongoCredential.createCredential("Username", "blah", "password".toCharArray());
MongoCredential.createMongoCRCredential("Username", "blah", "password".toCharArray());
MongoCredential.createPlainCredential("Username", "blah", "password".toCharArray());
MongoCredential.createScramSha1Credential("Username", "blah", "password".toCharArray());
MongoCredential.createGSSAPICredential("key");
MongoCredential.createMongoX509Credential("key");
}
}

13
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedSshjCredentials.java Normal file
View File

@@ -0,0 +1,13 @@
import net.schmizz.sshj.SSHClient;
import java.io.IOException;
public class HardcodedSshjCredentials {
public static void main(SSHClient client) {
// BAD: Hardcoded credentials used for the session username and/or password.
try {
client.authPassword("Username", "password");
client.authPassword("Username", "password".toCharArray());
}
catch(IOException e) { }
}
}

19
java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedTrileadSshCredentials.java Normal file
View File

@@ -0,0 +1,19 @@
import com.trilead.ssh2.Connection;
import java.io.IOException;
import java.io.File;
public class HardcodedTrileadSshCredentials {
public static void main(Connection conn) {
// BAD: Hardcoded credentials used for the session username and/or password.
try {
conn.authenticateWithPassword("Username", "password");
conn.authenticateWithDSA("Username", "password", "key");
conn.authenticateWithNone("Username");
conn.getRemainingAuthMethods("Username");
conn.isAuthMethodAvailable("Username", "method");
conn.authenticateWithPublicKey("Username", "key".toCharArray(), "password");
conn.authenticateWithPublicKey("Username", (File)null, "password");
} catch(IOException e) { }
}
}

2
java/ql/test/query-tests/security/CWE-798/semmle/tests/options
View File

@@ -1 +1 @@
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient