Query to detect plaintext credentials in Java properties files

java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected

@@ -0,0 +1,5 @@
+| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password have cleartext value mysecpass in properties file. |
+| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password have cleartext value Passw0rd@123 in properties file. |
+| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password have cleartext value MysecPWxWa@1993 in properties file. |
+| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key have cleartext value AKMAMQPBYMCD6YSAYCBA in properties file. |
+| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key have cleartext value 8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k in properties file. |

java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql

java/ql/test/experimental/query-tests/security/CWE-555/configuration.properties

@@ -0,0 +1,37 @@
+#***************************** LDAP Credentials *****************************************#
+ldap.ldapHost = ldap.example.com
+ldap.ldapPort = 636
+ldap.loginDN = cn=Directory Manager
+#### BAD: LDAP credentials are stored in cleartext #### 
+ldap.password = mysecpass
+#### GOOD: LDAP credentials are stored in the encrypted format #### 
+ldap.password = eFRZ3Cqo5zDJWMYLiaEupw==
+ldap.domain1 = example
+ldap.domain2 = com
+ldap.url= ldaps://ldap.example.com:636/dc=example,dc=com
+
+#*************************** MS SQL Database Connection **********************************# 
+datasource1.driverClassName = com.microsoft.sqlserver.jdbc.SQLServerDriver
+datasource1.url = jdbc:sqlserver://ms.example.com\\exampledb:1433;
+datasource1.username = sa
+#### BAD: Datasource credentials are stored in cleartext #### 
+datasource1.password = Passw0rd@123
+#### GOOD: Datasource credentials are stored in the encrypted format #### 
+datasource1.password = VvOgflYS1EUzJdVNDoBcnA==
+
+#*************************** Mail Connection **********************************# 
+mail.username = test@example.com
+#### BAD: Mail credentials are stored in cleartext #### 
+mail.password = MysecPWxWa@1993
+#### GOOD: Mail credentials are stored in the encrypted format #### 
+mail.password = M*********@1993
+
+#*************************** AWS S3 Connection **********************************# 
+com.example.aws.s3.bucket_name=com-bucket-1
+com.example.aws.s3.directory_name=com-directory-1
+#### BAD: Access keys are stored in properties file in cleartext #### 
+com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA
+com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k
+#### GOOD: Access keys are not stored in properties file #### 
+com.example.aws.s3.access_key=${ENV:AWS_ACCESS_KEY_ID}
+com.example.aws.s3.secret_key=${ENV:AWS_SECRET_ACCESS_KEY}

java/ql/test/experimental/query-tests/security/CWE-555/messages.properties

@@ -0,0 +1,8 @@
+prompt.username=Username
+prompt.password=Password
+
+forgot_password.error=Please enter a valid email address.
+reset_password.error=Passwords must match and not be empty.
+
+login.password_expired=Your current password has expired. Please reset your password.
+login.login_failure=Unable to verify username or password. Please try again.