diff --git a/java/ql/lib/ext/com.couchbase.client.core.env.model.yml b/java/ql/lib/ext/com.couchbase.client.core.env.model.yml new file mode 100644 index 00000000000..8222b8e88cd --- /dev/null +++ b/java/ql/lib/ext/com.couchbase.client.core.env.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[0]", "credentials-key", "manual"] + - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[1]", "credentials-password", "manual"] + - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional)", "", "Argument[1]", "credentials-password", "manual"] + - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(KeyStore,String)", "", "Argument[1]", "credentials-password", "manual"] + - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"] + - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier)", "", "Argument[0]", "credentials-username", "manual"] + - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"] diff --git a/java/ql/lib/ext/com.couchbase.client.java.model.yml b/java/ql/lib/ext/com.couchbase.client.java.model.yml new file mode 100644 index 00000000000..6796fcc524d --- /dev/null +++ b/java/ql/lib/ext/com.couchbase.client.java.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["com.couchbase.client.java","ClusterOptions",true,"clusterOptions","(String,String)","","Argument[0]","credentials-username","manual"] + - ["com.couchbase.client.java","ClusterOptions",true,"clusterOptions","(String,String)","","Argument[1]","credentials-password","manual"] + - ["com.couchbase.client.java","Cluster",true,"connect","(String,String,String)","","Argument[1]","credentials-username","manual"] + - ["com.couchbase.client.java","Cluster",true,"connect","(String,String,String)","","Argument[2]","credentials-password","manual"] diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java new file mode 100644 index 00000000000..f46ff80ba52 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java @@ -0,0 +1,35 @@ +import static com.couchbase.client.java.ClusterOptions.clusterOptions; + +import com.couchbase.client.core.env.Authenticator; +import com.couchbase.client.core.env.CertificateAuthenticator; +import com.couchbase.client.core.env.PasswordAuthenticator; +import com.couchbase.client.java.Cluster; + +public class HardcodedCouchBaseCredentials { + public static void test() { + Cluster cluster1 = + Cluster.connect( + "127.0.0.1", + "Administrator", // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall + "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall + Cluster cluster2 = + Cluster.connect( + "127.0.0.1", + clusterOptions( + "Administrator", // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall + "password")); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall + PasswordAuthenticator authenticator1 = + PasswordAuthenticator.builder() + .username( + "Administrator") // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall + .password("password") // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall + .onlyEnablePlainSaslMechanism() + .build(); + + Authenticator authenticator2 = + CertificateAuthenticator.fromKeyStore( + null, + "keyStorePassword"); // $ HardcodedCredentialsApiCall + Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator2)); + } +} \ No newline at end of file diff --git a/java/ql/test/query-tests/security/CWE-798/semmle/tests/options b/java/ql/test/query-tests/security/CWE-798/semmle/tests/options index 18ff7ebd8a9..209b6ec6a32 100644 --- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/options +++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/options @@ -1 +1 @@ -// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0:${testdir}/../../../../../stubs/auth0-jwt-2.3 +// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0:${testdir}/../../../../../stubs/auth0-jwt-2.3 diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/Authenticator.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/Authenticator.java new file mode 100644 index 00000000000..2868d486698 --- /dev/null +++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/Authenticator.java @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2018 Couchbase, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.couchbase.client.core.env; + + +public interface Authenticator {} diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/CertificateAuthenticator.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/CertificateAuthenticator.java new file mode 100644 index 00000000000..eb837ab18fe --- /dev/null +++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/CertificateAuthenticator.java @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2019 Couchbase, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.couchbase.client.core.env; + +import java.nio.file.Path; +import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.Optional; + +public class CertificateAuthenticator implements Authenticator { + + public static CertificateAuthenticator fromKeyStore( + final Path keyStorePath, final String keyStorePassword, final Optional keyStoreType) { + return null; + } + + public static CertificateAuthenticator fromKeyStore( + final KeyStore keyStore, final String keyStorePassword) { + return null; + } + + public static CertificateAuthenticator fromKey( + final PrivateKey key, final String keyPassword, final List keyCertChain) { + return null; + } +} \ No newline at end of file diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java new file mode 100644 index 00000000000..ec37e812463 --- /dev/null +++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2019 Couchbase, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.couchbase.client.core.env; + +import java.util.function.Supplier; + +public class PasswordAuthenticator implements Authenticator { + + public static PasswordAuthenticator.Builder builder() { + return null; + } + + public static PasswordAuthenticator create(final String username, final String password) { + return null; + } + + public static PasswordAuthenticator ldapCompatible(final String username, final String password) { + return null; + } + + private static String encodeAuthHttpHeader(UsernameAndPassword credentials) { + return null; + } + + public static class Builder { + + public Builder username(final String username) { + return null; + } + + public Builder username(final Supplier username) { + return null; + } + + public Builder password(final String password) { + + return null; + } + + public Builder password(final Supplier password) { + return null; + } + + public Builder onlyEnablePlainSaslMechanism() { + return null; + } + + public PasswordAuthenticator build() { + return null; + } + } +} \ No newline at end of file diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/SeedNode.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/SeedNode.java new file mode 100644 index 00000000000..fa8fcb4b6d2 --- /dev/null +++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/SeedNode.java @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2019 Couchbase, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.couchbase.client.core.env; + +public class SeedNode {} \ No newline at end of file diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java new file mode 100644 index 00000000000..72d3ba0647b --- /dev/null +++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java @@ -0,0 +1,19 @@ +/* + * Copyright 2024 Couchbase, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.couchbase.client.core.env; + +public class UsernameAndPassword {} \ No newline at end of file diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/AsyncCluster.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/AsyncCluster.java new file mode 100644 index 00000000000..2dd340befec --- /dev/null +++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/AsyncCluster.java @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2018 Couchbase, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.couchbase.client.java; + + +public class AsyncCluster { + + public static AsyncCluster connect( + final String connectionString, final String username, final String password) { + return null; + } + + public static AsyncCluster connect(final String connectionString, final ClusterOptions options) { + return null; + } +} \ No newline at end of file diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Cluster.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Cluster.java new file mode 100644 index 00000000000..e59d04d52e6 --- /dev/null +++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Cluster.java @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2016 Couchbase, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.couchbase.client.java; + +import com.couchbase.client.core.env.SeedNode; +import java.io.Closeable; +import java.util.Set; + +public class Cluster implements Closeable { + + public static Cluster connect( + final String connectionString, final String username, final String password) { + return null; + } + + public static Cluster connect(final String connectionString, final ClusterOptions options) { + return null; + } + + public static Cluster connect(final Set seedNodes, final ClusterOptions options) { + return null; + } + + @Override + public void close() {} +} \ No newline at end of file diff --git a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/ClusterOptions.java b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/ClusterOptions.java new file mode 100644 index 00000000000..7c506393ee3 --- /dev/null +++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/ClusterOptions.java @@ -0,0 +1,28 @@ +/* + * Copyright (c) 2019 Couchbase, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package com.couchbase.client.java; + +import com.couchbase.client.core.env.Authenticator; + +public class ClusterOptions { + public static ClusterOptions clusterOptions(final Authenticator authenticator) { + return null; + } + + public static ClusterOptions clusterOptions(final String username, final String password) { + return null; + } +} \ No newline at end of file