Merge pull request #4814 from luchua-bc/java/password-in-configuration

Java: Password in Java EE configuration files
2026-04-28 10:15:14 +02:00 · 2021-01-05 11:42:27 +00:00
parent a5e28ac6d6 bfb138d415
commit e87fd86e63
8 changed files with 181 additions and 0 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.expected
@@ -0,0 +1,3 @@
+| applicationContext.xml:9:3:9:48 | name=password | Plaintext password in configuration file. |
+| context.xml:4:2:8:50 | password=1234 | Plaintext password in configuration file. |
+| custom-config.xml:3:2:3:137 | value=server=myoracle.example.com;port=1521;database=testdb;username=root;password=test1234 | Plaintext password in configuration file. |
--- a/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-555/applicationContext.xml
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/applicationContext.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans
+           http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
+
+	<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
+		<property name="driverClassName" value="com.mysql.jdbc.Driver" />
+		<property name="url" value="jdbc:mysql://www.example.com:3306/test" />
+		<property name="username" value="root" />
+		<property name="password" value="mysecret" />
+		<property name="initialSize" value="30" />
+
+		<property name="maxActive" value="500" />
+		<property name="maxIdle" value="2" />
+		<property name="minIdle" value="1" />
+	</bean>
+
+	<bean id="sessionFactory" class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
+		<property name="dataSource" ref="dataSource" />
+
+		<property name="annotatedClasses">
+			<list>
+				<value>com.example.entity.Users</value>
+			</list>
+		</property>
+
+		<property name="hibernateProperties">
+			<value>
+	        	hibernate.dialect=org.hibernate.dialect.MySQLDialect
+	        	hibernate.hbm2ddl.auto=update
+				hibernate.show_sql=true
+				hibernate.cache.use_second_level_cache=false
+        	    hibernate.cache.provider_class=org.hibernate.cache.internal.NoCacheProvider
+        	    hibernate.generate_statistics=true	      
+	    </value>
+		</property>
+	</bean>
+</beans>
--- a/java/ql/test/experimental/query-tests/security/CWE-555/context.xml
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/context.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Context>
+	<!-- BAD: Password of datasource is in not encrypted -->
+	<Resource name="jdbc/exampleDS1" auth="Container" type="javax.sql.DataSource"
+		maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+		username="root" password="1234"
+		driverClassName="com.mysql.jdbc.Driver"
+		url="jdbc:mysql://www.example1.com:3306/proj"/>
+
+	<!-- GOOD: Password is encrypted and stored in a password vault -->
+	<Resource name="jdbc/exampleDS2" auth="Container" type="javax.sql.DataSource"
+		maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+		username="root" password="${VAULT::exampleDS2::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlMDMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}"
+		driverClassName="com.mysql.jdbc.Driver"
+		url="jdbc:mysql://www.example2.com:3306/proj"/>
+
+	<!-- GOOD: Password is not stored in the configuration file -->
+	<Resource name="jdbc/exampleDS3" auth="Container" type="javax.sql.DataSource"
+		maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+		username="root" password="${jdbc.password}"
+		driverClassName="com.mysql.jdbc.Driver"
+		url="jdbc:mysql://www.example3.com:3306/proj"/>
+
+	<!-- GOOD: Password is encrypted -->
+	<Resource name="jdbc/exampleDS4" auth="Container" type="javax.sql.DataSource"
+		maxTotal="100" maxIdle="30" maxWaitMillis="10000"
+		username="root" password="Tg2Nn7wUZOQ6Xc+1lenkZTQ9ZDf9a2/RBRiqJBCIX6o="
+		driverClassName="com.mysql.jdbc.Driver"
+		url="jdbc:mysql://www.example4.com:3306/proj"/>
+</Context>
--- a/java/ql/test/experimental/query-tests/security/CWE-555/custom-config.xml
+++ b/java/ql/test/experimental/query-tests/security/CWE-555/custom-config.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<db-connections>
+	<db-connection name="oracleServerConn" value="server=myoracle.example.com;port=1521;database=testdb;username=root;password=test1234" /> 
+</db-connections>
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql`