Refactor HardcodedCredentialsSourceCall

2026-04-27 17:55:19 +02:00 · 2023-04-03 14:01:20 -04:00
parent 15d5ad7a66
commit 735a7383c6
3 changed files with 47 additions and 13 deletions
--- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll
@@ -8,10 +8,12 @@ import semmle.code.java.dataflow.DataFlow2
 import HardcodedCredentials

 /**
+ * DEPRECATED: Use `HardcodedCredentialSourceCallFlow` instead.
+ *
 * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
 * it may be a credential, excluding those which flow on to other such insecure usage sites.
 */
-class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
+deprecated class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
  HardcodedCredentialSourceCallConfiguration() {
    this = "HardcodedCredentialSourceCallConfiguration"
  }
@@ -22,10 +24,28 @@ class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration
 }

 /**
+ * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
+ * it may be a credential, excluding those which flow on to other such insecure usage sites.
+ */
+module HardcodedCredentialSourceCallConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }
+
+  predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
+}
+
+/**
+ * Tracks hardcoded expressions flowing to a parameter whose name suggests
+ * it may be a credential, excluding those which flow on to other such insecure usage sites.
+ */
+module HardcodedCredentialSourceCallFlow = DataFlow::Global<HardcodedCredentialSourceCallConfig>;
+
+/**
+ * DEPRECATED: Use `HardcodedCredentialParameterSourceCallFlow` instead.
+ *
 * A data-flow configuration that tracks flow from an argument whose corresponding parameter name suggests
 * a credential, to an argument to a sensitive call.
 */
-class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
+deprecated class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
  HardcodedCredentialSourceCallConfiguration2() {
    this = "HardcodedCredentialSourceCallConfiguration2"
  }
@@ -35,6 +55,23 @@ class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configurati
  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
 }

+/**
+ * A data-flow configuration that tracks flow from an argument whose corresponding parameter name suggests
+ * a credential, to an argument to a sensitive call.
+ */
+module HardcodedCredentialParameterSourceCallConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof CredentialsSourceSink }
+
+  predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
+}
+
+/**
+ * Tracks flow from an argument whose corresponding parameter name suggests
+ * a credential, to an argument to a sensitive call.
+ */
+module HardcodedCredentialParameterSourceCallFlow =
+  DataFlow::Global<HardcodedCredentialParameterSourceCallConfig>;
+
 /**
 * An argument to a call, where the parameter name corresponding
 * to the argument indicates that it may contain credentials, and
@@ -42,10 +79,9 @@ class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configurati
 */
 class FinalCredentialsSourceSink extends CredentialsSourceSink {
  FinalCredentialsSourceSink() {
-    not exists(HardcodedCredentialSourceCallConfiguration2 conf, CredentialsSink other |
-      this != other
-    |
-      conf.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(other))
+    not exists(CredentialsSink other | this != other |
+      HardcodedCredentialParameterSourceCallFlow::flow(DataFlow::exprNode(this),
+        DataFlow::exprNode(other))
    )
  }
 }
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
@@ -12,11 +12,11 @@

 import java
 import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
-import DataFlow::PathGraph
+import HardcodedCredentialSourceCallFlow::PathGraph

 from
-  DataFlow::PathNode source, DataFlow::PathNode sink,
-  HardcodedCredentialSourceCallConfiguration conf
-where conf.hasFlowPath(source, sink)
+  HardcodedCredentialSourceCallFlow::PathNode source,
+  HardcodedCredentialSourceCallFlow::PathNode sink
+where HardcodedCredentialSourceCallFlow::flowPath(source, sink)
 select source.getNode(), source, sink, "Hard-coded value flows to $@.", sink.getNode(),
  "sensitive call"
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql
@@ -9,9 +9,7 @@ class HardcodedCredentialsSourceCallTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "HardcodedCredentialsSourceCall" and
-    exists(DataFlow::Node sink, HardcodedCredentialSourceCallConfiguration conf |
-      conf.hasFlow(_, sink)
-    |
+    exists(DataFlow::Node sink | HardcodedCredentialSourceCallFlow::flow(_, sink) |
      sink.getLocation() = location and
      element = sink.toString() and
      value = ""