Merge pull request #4312 from JLLeitschuh/feat/JLL/java/jhipster_CVE-2019-16303

Java: QL Query Detector for JHipster Generated CVE-2019-16303
2026-05-05 13:45:19 +02:00 · 2020-10-16 15:47:09 +02:00
parent d91ea55f0c a9c5551284
commit a806a4f086
12 changed files with 977 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.expected
+++ b/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.expected
@@ -0,0 +1,5 @@
+| vulnerable/RandomUtil.java:20:26:20:41 | generatePassword | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
+| vulnerable/RandomUtil.java:29:26:29:46 | generateActivationKey | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
+| vulnerable/RandomUtil.java:38:26:38:41 | generateResetKey | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
+| vulnerable/RandomUtil.java:48:26:48:43 | generateSeriesData | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
+| vulnerable/RandomUtil.java:57:26:57:42 | generateTokenData | Weak random number generator used in security sensitive method (JHipster CVE-2019-16303). |
--- a/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.qlref
+++ b/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
--- a/java/ql/test/query-tests/security/CWE-338/semmle/tests/fixed/RandomUtil.java
+++ b/java/ql/test/query-tests/security/CWE-338/semmle/tests/fixed/RandomUtil.java
@@ -0,0 +1,71 @@
+package test.cwe338.cwe.examples.fixed;
+
+import org.apache.commons.lang3.RandomStringUtils;
+
+import java.security.SecureRandom;
+
+/**
+ * Utility class for generating random Strings.
+ */
+public final class RandomUtil {
+    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+
+    private static final int DEF_COUNT = 20;
+
+    static {
+        SECURE_RANDOM.nextBytes(new byte[64]);
+    }
+
+    private RandomUtil() {
+    }
+
+    private static String generateRandomAlphanumericString() {
+        return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
+    }
+
+    /**
+     * Generate a password.
+     *
+     * @return the generated password.
+     */
+    public static String generatePassword() {
+        return generateRandomAlphanumericString();
+    }
+
+    /**
+     * Generate an activation key.
+     *
+     * @return the generated activation key.
+     */
+    public static String generateActivationKey() {
+        return generateRandomAlphanumericString();
+    }
+
+    /**
+     * Generate a reset key.
+     *
+     * @return the generated reset key.
+     */
+    public static String generateResetKey() {
+        return generateRandomAlphanumericString();
+    }
+
+    /**
+     * Generate a unique series to validate a persistent token, used in the
+     * authentication remember-me mechanism.
+     *
+     * @return the generated series data.
+     */
+    public static String generateSeriesData() {
+        return generateRandomAlphanumericString();
+    }
+
+    /**
+     * Generate a persistent token, used in the authentication remember-me mechanism.
+     *
+     * @return the generated token data.
+     */
+    public static String generateTokenData() {
+        return generateRandomAlphanumericString();
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-338/semmle/tests/options
+++ b/java/ql/test/query-tests/security/CWE-338/semmle/tests/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7
--- a/java/ql/test/query-tests/security/CWE-338/semmle/tests/vulnerable/RandomUtil.java
+++ b/java/ql/test/query-tests/security/CWE-338/semmle/tests/vulnerable/RandomUtil.java
@@ -0,0 +1,60 @@
+package test.cwe338.cwe.examples.vulnerable;
+
+import org.apache.commons.lang3.RandomStringUtils;
+
+/**
+ * Utility class for generating random Strings.
+ */
+public final class RandomUtil {
+
+    private static final int DEF_COUNT = 20;
+
+    private RandomUtil() {
+    }
+
+    /**
+     * Generate a password.
+     *
+     * @return the generated password.
+     */
+    public static String generatePassword() {
+        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+    }
+
+    /**
+     * Generate an activation key.
+     *
+     * @return the generated activation key.
+     */
+    public static String generateActivationKey() {
+        return RandomStringUtils.randomNumeric(DEF_COUNT);
+    }
+
+    /**
+     * Generate a reset key.
+     *
+     * @return the generated reset key.
+     */
+    public static String generateResetKey() {
+        return RandomStringUtils.randomNumeric(DEF_COUNT);
+    }
+
+    /**
+     * Generate a unique series to validate a persistent token, used in the
+     * authentication remember-me mechanism.
+     *
+     * @return the generated series data.
+     */
+    public static String generateSeriesData() {
+        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+    }
+
+    /**
+     * Generate a persistent token, used in the authentication remember-me mechanism.
+     *
+     * @return the generated token data.
+     */
+    public static String generateTokenData() {
+        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
+    }
+}
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql`
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7`