Java: add CleartextStorageCookie test

Given that it's a non-path-problem dataflow query, the InlineExpectationsTest is not as useful.

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.expected

@@ -0,0 +1,21 @@
+| CleartextStorageCookieTest.java:22:7:22:40 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:20:31:20:62 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:20:54:20:61 | password | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:21:31:21:38 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:23:69:23:76 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:24:46:24:53 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:33:67:33:74 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:34:36:34:43 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:37:84:37:91 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:38:51:38:58 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:42:40:42:47 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:21:31:21:38 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:23:69:23:76 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:24:46:24:53 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:33:67:33:74 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:34:36:34:43 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:37:84:37:91 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:38:51:38:58 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:42:40:42:47 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:48:77:48:84 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
+| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:49:59:49:83 | getPassword(...) | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.java

@@ -0,0 +1,79 @@
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.Cookie;
+import org.owasp.esapi.Encoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.security.MessageDigest;
+import java.net.PasswordAuthentication;
+
+public class CleartextStorageCookieTest extends HttpServlet {
+  HttpServletResponse response;
+  String name = "user";
+  String password = "BP@ssw0rd"; // $ Source
+
+  public void doGet() throws Exception {
+    {
+      Cookie nameCookie = new Cookie("name", name);
+      nameCookie.setValue(name);
+      response.addCookie(nameCookie); // Safe
+      Cookie passwordCookie = new Cookie("password", password);
+      passwordCookie.setValue(password);
+      response.addCookie(passwordCookie); // $ Alert
+      Cookie encodedPasswordCookie = new Cookie("password", encrypt(password));
+      encodedPasswordCookie.setValue(encrypt(password));
+      response.addCookie(encodedPasswordCookie); // Safe
+    }
+    {
+      io.netty.handler.codec.http.Cookie nettyNameCookie =
+        new io.netty.handler.codec.http.DefaultCookie("name", name);
+      nettyNameCookie.setValue(name); // Safe
+
+      io.netty.handler.codec.http.Cookie nettyPasswordCookie =
+        new io.netty.handler.codec.http.DefaultCookie("password", password);
+      nettyPasswordCookie.setValue(password); // $ MISSING: Alert (netty not supported by query)
+
+      io.netty.handler.codec.http.cookie.Cookie nettyEncodedPasswordCookie =
+          new io.netty.handler.codec.http.cookie.DefaultCookie("password", encrypt(password));
+      nettyEncodedPasswordCookie.setValue(encrypt(password)); // Safe
+    }
+    {
+      Encoder enc = null;
+      String value = enc.encodeForHTML(password);
+      Cookie cookie = new Cookie("password", value);
+      response.addCookie(cookie); // $ Alert
+    }
+    {
+      String data;
+      PasswordAuthentication credentials = new PasswordAuthentication(name, password.toCharArray());
+      data = credentials.getUserName() + ":" + new String(credentials.getPassword());
+
+      // BAD: store data in a cookie in cleartext form
+      response.addCookie(new Cookie("auth", data)); // $ Alert
+    }
+    {
+      String data;
+      PasswordAuthentication credentials =
+          new PasswordAuthentication(name, password.toCharArray());
+      String salt = "ThisIsMySalt";
+      MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
+      messageDigest.reset();
+      String credentialsToHash =
+          credentials.getUserName() + ":" + new String(credentials.getPassword());
+      byte[] hashedCredsAsBytes =
+          messageDigest.digest((salt+credentialsToHash).getBytes("UTF-8"));
+      data = new String(hashedCredsAsBytes);
+
+      // GOOD: store data in a cookie in encrypted form
+      response.addCookie(new Cookie("auth", data)); // Safe
+    }
+  }
+
+
+  private static String encrypt(String cleartext) throws Exception {
+    MessageDigest digest = MessageDigest.getInstance("SHA-256");
+    byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
+    String encoded = Base64.getEncoder().encodeToString(hash);
+    return encoded;
+  }
+}

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.qlref

@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-312/CleartextStorageCookie.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7:${testdir}/../../../../stubs/esapi-2.0.1:${testdir}/../../../../stubs/netty-4.1.x