mirror of
https://github.com/github/codeql.git
synced 2026-04-28 18:25:24 +02:00
Java: QL Query Detector for JHipster Generated CVE-2019-16303
This commit is contained in:
Jonathan Leitschuh
@@ -0,0 +1,5 @@
|
||||
| vulnerable/RandomUtil.java:20:26:20:41 | generatePassword | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
|
||||
| vulnerable/RandomUtil.java:29:26:29:46 | generateActivationKey | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
|
||||
| vulnerable/RandomUtil.java:38:26:38:41 | generateResetKey | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
|
||||
| vulnerable/RandomUtil.java:48:26:48:43 | generateSeriesData | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
|
||||
| vulnerable/RandomUtil.java:57:26:57:42 | generateTokenData | RandomUtil was generated by JHipster Generator version vulnerable to CVE-2019-16303 |
|
||||
@@ -0,0 +1 @@
|
||||
Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
|
||||
@@ -0,0 +1,71 @@
|
||||
package test.cwe338.cwe.examples.fixed;
|
||||
|
||||
import org.apache.commons.lang3.RandomStringUtils;
|
||||
|
||||
import java.security.SecureRandom;
|
||||
|
||||
/**
|
||||
* Utility class for generating random Strings.
|
||||
*/
|
||||
public final class RandomUtil {
|
||||
private static final SecureRandom SECURE_RANDOM = new SecureRandom();
|
||||
|
||||
private static final int DEF_COUNT = 20;
|
||||
|
||||
static {
|
||||
SECURE_RANDOM.nextBytes(new byte[64]);
|
||||
}
|
||||
|
||||
private RandomUtil() {
|
||||
}
|
||||
|
||||
private static String generateRandomAlphanumericString() {
|
||||
return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a password.
|
||||
*
|
||||
* @return the generated password.
|
||||
*/
|
||||
public static String generatePassword() {
|
||||
return generateRandomAlphanumericString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate an activation key.
|
||||
*
|
||||
* @return the generated activation key.
|
||||
*/
|
||||
public static String generateActivationKey() {
|
||||
return generateRandomAlphanumericString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a reset key.
|
||||
*
|
||||
* @return the generated reset key.
|
||||
*/
|
||||
public static String generateResetKey() {
|
||||
return generateRandomAlphanumericString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a unique series to validate a persistent token, used in the
|
||||
* authentication remember-me mechanism.
|
||||
*
|
||||
* @return the generated series data.
|
||||
*/
|
||||
public static String generateSeriesData() {
|
||||
return generateRandomAlphanumericString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a persistent token, used in the authentication remember-me mechanism.
|
||||
*
|
||||
* @return the generated token data.
|
||||
*/
|
||||
public static String generateTokenData() {
|
||||
return generateRandomAlphanumericString();
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/apache-commons-lang3-3.7
|
||||
@@ -0,0 +1,60 @@
|
||||
package test.cwe338.cwe.examples.vulnerable;
|
||||
|
||||
import org.apache.commons.lang3.RandomStringUtils;
|
||||
|
||||
/**
|
||||
* Utility class for generating random Strings.
|
||||
*/
|
||||
public final class RandomUtil {
|
||||
|
||||
private static final int DEF_COUNT = 20;
|
||||
|
||||
private RandomUtil() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a password.
|
||||
*
|
||||
* @return the generated password.
|
||||
*/
|
||||
public static String generatePassword() {
|
||||
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate an activation key.
|
||||
*
|
||||
* @return the generated activation key.
|
||||
*/
|
||||
public static String generateActivationKey() {
|
||||
return RandomStringUtils.randomNumeric(DEF_COUNT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a reset key.
|
||||
*
|
||||
* @return the generated reset key.
|
||||
*/
|
||||
public static String generateResetKey() {
|
||||
return RandomStringUtils.randomNumeric(DEF_COUNT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a unique series to validate a persistent token, used in the
|
||||
* authentication remember-me mechanism.
|
||||
*
|
||||
* @return the generated series data.
|
||||
*/
|
||||
public static String generateSeriesData() {
|
||||
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate a persistent token, used in the authentication remember-me mechanism.
|
||||
*
|
||||
* @return the generated token data.
|
||||
*/
|
||||
public static String generateTokenData() {
|
||||
return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user