Update qldoc and make the query more readable

2025-12-20 10:46:30 +01:00 · 2021-03-27 00:11:01 +00:00
parent d33b04cd96
commit a53cbc1631
4 changed files with 101 additions and 10 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.qhelp
@@ -15,7 +15,7 @@
    <p>
      Credentials stored in properties files should be encrypted and recycled regularly. 
      In a Java EE deployment scenario, utilities provided by application servers like 
-      keystore and password vault can be used to encrypt and manage credentials.
+      keystores and password vaults can be used to encrypt and manage credentials.
    </p>
  </recommendation>

@@ -27,7 +27,7 @@

    <p>
      In the second example, the credentials of a LDAP and datasource properties are stored
-      in the encrypted format.
+      in an encrypted format.
    </p>
    <sample src="configuration.properties" />
  </example>
--- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
@@ -9,10 +9,18 @@
 *       external/cwe/cwe-260
 */

+/*
+ * Note this query requires properties files to be indexed before it can produce results.
+ * If creating your own database with the CodeQL CLI, you should run
+ * `codeql database index-files --language=properties ...`
+ * If using lgtm.com, you should add `properties_files: true` to the index block of your
+ * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
+ */
+
 import java
 import semmle.code.configfiles.ConfigFiles

-private string suspicious() {
+private string possibleSecretName() {
  result = "%password%" or
  result = "%passwd%" or
  result = "%account%" or
@@ -23,7 +31,7 @@ private string suspicious() {
  result = "%access%key%"
 }

-private string nonSuspicious() {
+private string possibleEncryptedSecretName() {
  result = "%hashed%" or
  result = "%encrypted%" or
  result = "%crypt%"
@@ -48,7 +56,8 @@ predicate isNotCleartextCredentials(string value) {
  or
  value.matches("ENC(%)") // Encrypted value
  or
-  value.toLowerCase().matches(suspicious()) // Could be message properties or fake passwords
+  // Could be a message property for UI display or fake passwords, e.g. login.password_expired=Your current password has expired.
+  value.toLowerCase().matches(possibleSecretName())
 }

 /**
@@ -57,8 +66,7 @@ predicate isNotCleartextCredentials(string value) {
 *    b) with a non-production file name
 */
 predicate isNonProdCredentials(CredentialsConfig cc) {
-  cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"]) and
-  not cc.getFile().getAbsolutePath().matches("%codeql%") // CodeQL test cases
+  cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"])
 }

 /** The properties file with configuration key/value pairs. */
@@ -69,8 +77,8 @@ class ConfigProperties extends ConfigPair {
 /** The credentials configuration property. */
 class CredentialsConfig extends ConfigProperties {
  CredentialsConfig() {
-    this.getNameElement().getName().trim().toLowerCase().matches(suspicious()) and
-    not this.getNameElement().getName().trim().toLowerCase().matches(nonSuspicious())
+    this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
+    not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName())
  }

  string getName() { result = this.getNameElement().getName().trim() }