Hardcoded credentials in CouchBase

2026-02-12 05:01:06 +01:00 · 2025-12-22 20:22:20 +01:00
parent 359a28e409
commit b22077c371
12 changed files with 319 additions and 1 deletions
--- a/java/ql/lib/ext/com.couchbase.client.core.env.model.yml
+++ b/java/ql/lib/ext/com.couchbase.client.core.env.model.yml
@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional<String>)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(KeyStore,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier<String>)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]
--- a/java/ql/lib/ext/com.couchbase.client.java.model.yml
+++ b/java/ql/lib/ext/com.couchbase.client.java.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.couchbase.client.java","ClusterOptions",true,"clusterOptions","(String,String)","","Argument[0]","credentials-username","manual"]
+      - ["com.couchbase.client.java","ClusterOptions",true,"clusterOptions","(String,String)","","Argument[1]","credentials-password","manual"]
+      - ["com.couchbase.client.java","Cluster",true,"connect","(String,String,String)","","Argument[1]","credentials-username","manual"]
+      - ["com.couchbase.client.java","Cluster",true,"connect","(String,String,String)","","Argument[2]","credentials-password","manual"]
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java
@@ -0,0 +1,35 @@
+import static com.couchbase.client.java.ClusterOptions.clusterOptions;
+
+import com.couchbase.client.core.env.Authenticator;
+import com.couchbase.client.core.env.CertificateAuthenticator;
+import com.couchbase.client.core.env.PasswordAuthenticator;
+import com.couchbase.client.java.Cluster;
+
+public class HardcodedCouchBaseCredentials {
+  public static void test() {
+    Cluster cluster1 =
+        Cluster.connect(
+            "127.0.0.1",
+            "Administrator", // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+            "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    Cluster cluster2 =
+        Cluster.connect(
+            "127.0.0.1",
+            clusterOptions(
+                "Administrator", // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+                "password")); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    PasswordAuthenticator authenticator1 =
+        PasswordAuthenticator.builder()
+            .username(
+                "Administrator") // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+            .password("password") // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+            .onlyEnablePlainSaslMechanism()
+            .build();
+
+    Authenticator authenticator2 =
+        CertificateAuthenticator.fromKeyStore(
+            null,
+            "keyStorePassword"); // $ HardcodedCredentialsApiCall
+    Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator2));
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0:${testdir}/../../../../../stubs/auth0-jwt-2.3
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/mssql-jdbc-12.2.0:${testdir}/../../../../../stubs/auth0-jwt-2.3
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/Authenticator.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/Authenticator.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2018 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.couchbase.client.core.env;
+
+
+public interface Authenticator {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/CertificateAuthenticator.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/CertificateAuthenticator.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2019 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.couchbase.client.core.env;
+
+import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Optional;
+
+public class CertificateAuthenticator implements Authenticator {
+
+  public static CertificateAuthenticator fromKeyStore(
+      final Path keyStorePath, final String keyStorePassword, final Optional<String> keyStoreType) {
+    return null;
+  }
+
+  public static CertificateAuthenticator fromKeyStore(
+      final KeyStore keyStore, final String keyStorePassword) {
+    return null;
+  }
+
+  public static CertificateAuthenticator fromKey(
+      final PrivateKey key, final String keyPassword, final List<X509Certificate> keyCertChain) {
+    return null;
+  }
+}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/PasswordAuthenticator.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2019 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.couchbase.client.core.env;
+
+import java.util.function.Supplier;
+
+public class PasswordAuthenticator implements Authenticator {
+
+  public static PasswordAuthenticator.Builder builder() {
+    return null;
+  }
+
+  public static PasswordAuthenticator create(final String username, final String password) {
+    return null;
+  }
+
+  public static PasswordAuthenticator ldapCompatible(final String username, final String password) {
+    return null;
+  }
+
+  private static String encodeAuthHttpHeader(UsernameAndPassword credentials) {
+    return null;
+  }
+
+  public static class Builder {
+
+    public Builder username(final String username) {
+      return null;
+    }
+
+    public Builder username(final Supplier<String> username) {
+      return null;
+    }
+
+    public Builder password(final String password) {
+
+      return null;
+    }
+
+    public Builder password(final Supplier<String> password) {
+      return null;
+    }
+
+    public Builder onlyEnablePlainSaslMechanism() {
+      return null;
+    }
+
+    public PasswordAuthenticator build() {
+      return null;
+    }
+  }
+}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/SeedNode.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/SeedNode.java
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2019 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.couchbase.client.core.env;
+
+public class SeedNode {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/core/env/UsernameAndPassword.java
@@ -0,0 +1,19 @@
+/*
+ * Copyright 2024 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.couchbase.client.core.env;
+
+public class UsernameAndPassword {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/AsyncCluster.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/AsyncCluster.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2018 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.couchbase.client.java;
+
+
+public class AsyncCluster {
+
+  public static AsyncCluster connect(
+      final String connectionString, final String username, final String password) {
+    return null;
+  }
+
+  public static AsyncCluster connect(final String connectionString, final ClusterOptions options) {
+    return null;
+  }
+}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Cluster.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Cluster.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2016 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.couchbase.client.java;
+
+import com.couchbase.client.core.env.SeedNode;
+import java.io.Closeable;
+import java.util.Set;
+
+public class Cluster implements Closeable {
+
+  public static Cluster connect(
+      final String connectionString, final String username, final String password) {
+    return null;
+  }
+
+  public static Cluster connect(final String connectionString, final ClusterOptions options) {
+    return null;
+  }
+
+  public static Cluster connect(final Set<SeedNode> seedNodes, final ClusterOptions options) {
+    return null;
+  }
+
+  @Override
+  public void close() {}
+}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/ClusterOptions.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/ClusterOptions.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2019 Couchbase, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.couchbase.client.java;
+
+import com.couchbase.client.core.env.Authenticator;
+
+public class ClusterOptions {
+  public static ClusterOptions clusterOptions(final Authenticator authenticator) {
+    return null;
+  }
+
+  public static ClusterOptions clusterOptions(final String username, final String password) {
+    return null;
+  }
+}