Adapt InsecureBasicAuth to the previous commit

2026-05-05 21:55:19 +02:00 · 2021-09-15 17:16:37 +02:00
parent 2e08c5dd2b
commit 5ed9949498
4 changed files with 196 additions and 327 deletions
--- a/java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll
+++ b/java/ql/lib/semmle/code/java/security/InsecureBasicAuth.qll
@@ -0,0 +1,45 @@
+/** Provides classes and predicates to reason about Insecure Basic Authentication vulnerabilities. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.HttpsUrls
+
+/**
+ * A source that represents HTTP URLs.
+ * Extend this class to add your own Insecure Basic Authentication sources.
+ */
+abstract class InsecureBasicAuthSource extends DataFlow::Node { }
+
+/** A default source representing HTTP strings, URLs or URIs. */
+private class DefaultInsecureBasicAuthSource extends InsecureBasicAuthSource {
+  DefaultInsecureBasicAuthSource() { this.asExpr() instanceof HttpStringLiteral }
+}
+
+/**
+ * A sink that represents a method that sets Basic Authentication.
+ * Extend this class to add your own Insecure Basic Authentication sinks.
+ */
+abstract class InsecureBasicAuthSink extends DataFlow::Node { }
+
+/** A default sink representing methods that set an Authorization header. */
+private class DefaultInsecureBasicAuthSink extends InsecureBasicAuthSink {
+  DefaultInsecureBasicAuthSink() {
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("addHeader") or
+      ma.getMethod().hasName("setHeader") or
+      ma.getMethod().hasName("setRequestProperty")
+    |
+      this.asExpr() = ma.getQualifier() and
+      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "Authorization" and
+      TaintTracking::localExprTaint(any(BasicAuthString b), ma.getArgument(1))
+    )
+  }
+}
+
+/**
+ * String pattern of basic authentication.
+ */
+private class BasicAuthString extends StringLiteral {
+  BasicAuthString() { exists(string s | this.getRepresentedString() = s | s.matches("Basic %")) }
+}
--- a/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll
@@ -0,0 +1,22 @@
+/** Provides taint tracking configurations to be used in Insecure Basic Authentication queries. */
+
+import java
+import semmle.code.java.security.HttpsUrls
+import semmle.code.java.security.InsecureBasicAuth
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A taint tracking configuration for the Basic authentication scheme
+ * being used in HTTP connections.
+ */
+class BasicAuthFlowConfig extends TaintTracking::Configuration {
+  BasicAuthFlowConfig() { this = "InsecureBasicAuth::BasicAuthFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof InsecureBasicAuthSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureBasicAuthSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
+  }
+}