From ff0dacf1d76a31970de4a4a6f2fa4c115d51f1cd Mon Sep 17 00:00:00 2001 From: luchua-bc Date: Mon, 3 Aug 2020 00:52:47 +0000 Subject: [PATCH] Optimize the TaintTracking --- .../Security/CWE/CWE-522/InsecureBasicAuth.ql | 56 +++++++------- .../CWE-522/InsecureBasicAuth.expected | 74 ++++++++----------- .../security/CWE-522/InsecureBasicAuth.java | 40 +++++++++- 3 files changed, 94 insertions(+), 76 deletions(-) diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql index cca8efa4539..ee7cc60e2c4 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql @@ -13,6 +13,14 @@ import semmle.code.java.frameworks.Networking import semmle.code.java.dataflow.TaintTracking import DataFlow::PathGraph +/** + * Gets a regular expression for matching private hosts, which only matches the host portion therefore checking for port is not necessary. + */ +private string getPrivateHostRegex() { + result = + "(?i)localhost(?:[:/?#].*)?|127\\.0\\.0\\.1(?:[:/?#].*)?|10(?:\\.[0-9]+){3}(?:[:/?#].*)?|172\\.16(?:\\.[0-9]+){2}(?:[:/?#].*)?|192.168(?:\\.[0-9]+){2}(?:[:/?#].*)?|\\[0:0:0:0:0:0:0:1\\](?:[:/?#].*)?|\\[::1\\](?:[:/?#].*)?" +} + /** * The Java class `org.apache.http.client.methods.HttpRequestBase`. Popular subclasses include `HttpGet`, `HttpPost`, and `HttpPut`. * And the Java class `org.apache.http.message.BasicHttpRequest`. @@ -35,16 +43,17 @@ class URLConstructor extends ClassInstanceExpr { predicate hasHttpStringArg() { this.getConstructor().getParameter(0).getType() instanceof TypeString and ( - // URLs constructed with the string constructor `URL(String spec)` - this.getConstructor().getNumberOfParameters() = 1 and - this.getArgument(0) instanceof HttpString // First argument contains the whole spec. - or // URLs constructed with any of the three string constructors below: // `URL(String protocol, String host, int port, String file)`, // `URL(String protocol, String host, int port, String file, URLStreamHandler handler)`, // `URL(String protocol, String host, String file)` this.getConstructor().getNumberOfParameters() > 1 and - concatHttpString(getArgument(0), this.getArgument(1)) // First argument contains the protocol part and the second argument contains the host part. + concatHttpString(getArgument(0), this.getArgument(1)) + or + // First argument contains the protocol part and the second argument contains the host part. + // URLs constructed with the string constructor `URL(String spec)` + this.getConstructor().getNumberOfParameters() = 1 and + this.getArgument(0) instanceof HttpString // First argument contains the whole spec. ) } } @@ -57,24 +66,21 @@ class URIConstructor extends ClassInstanceExpr { predicate hasHttpStringArg() { ( - this.getNumArgument() = 1 // `URI(String str)` + this.getNumArgument() = 1 and + this.getArgument(0) instanceof HttpString // `URI(String str)` or this.getNumArgument() = 4 and concatHttpString(this.getArgument(0), this.getArgument(1)) // `URI(String scheme, String host, String path, String fragment)` or + this.getNumArgument() = 5 and + concatHttpString(this.getArgument(0), this.getArgument(1)) // `URI(String scheme, String authority, String path, String query, String fragment)` without user-info in authority + or this.getNumArgument() = 7 and concatHttpString(this.getArgument(0), this.getArgument(2)) // `URI(String scheme, String userInfo, String host, int port, String path, String query, String fragment)` ) } } -/** - * Gets a regular expression for matching private hosts. - */ -private string getPrivateHostRegex() { - result = "(?i)localhost([:/].*)?|127\\.0\\.0\\.1([:/].*)?|10(\\.[0-9]+){3}([:/].*)?|172\\.16(\\.[0-9]+){2}([:/].*)?|192.168(\\.[0-9]+){2}([:/].*)?|\\[0:0:0:0:0:0:0:1\\]([:/].*)?|\\[::1\\]([:/].*)?" -} - /** * String of HTTP URLs not in private domains. */ @@ -82,7 +88,7 @@ class HttpStringLiteral extends StringLiteral { HttpStringLiteral() { // Match URLs with the HTTP protocol and without private IP addresses to reduce false positives. exists(string s | this.getRepresentedString() = s | - s.regexpMatch("(?i)http://[a-zA-Z0-9].*") and + s.regexpMatch("(?i)http://[\\[a-zA-Z0-9].*") and not s.substring(7, s.length()).regexpMatch(getPrivateHostRegex()) ) } @@ -121,15 +127,7 @@ class HttpString extends Expr { HttpString() { this instanceof HttpStringLiteral or - this.(VarAccess).getVariable().getAnAssignedValue() instanceof HttpStringLiteral - or concatHttpString(this.(AddExpr).getLeftOperand(), this.(AddExpr).getRightOperand()) - or - concatHttpString(this.(AddExpr).getLeftOperand().(AddExpr).getLeftOperand(), - this.(AddExpr).getLeftOperand().(AddExpr).getRightOperand()) - or - concatHttpString(this.(AddExpr).getLeftOperand(), - this.(AddExpr).getRightOperand().(AddExpr).getLeftOperand()) // First two elements of a string concatenated from an arbitrary number of elements. } } @@ -170,16 +168,15 @@ predicate apacheHttpRequest(DataFlow::Node node1, DataFlow::Node node2) { ) } -/** Constructors of `URI` */ +/** `URI` methods */ predicate createURI(DataFlow::Node node1, DataFlow::Node node2) { - exists(URIConstructor cc | + exists(URIConstructor cc | // new URI node2.asExpr() = cc and - cc.getArgument(0) = node1.asExpr() and - cc.hasHttpStringArg() + cc.getArgument(0) = node1.asExpr() ) or exists( - StaticMethodAccess ma // URI.create + StaticMethodAccess ma // URI.create | ma.getMethod().getDeclaringType().hasQualifiedName("java.net", "URI") and ma.getMethod().hasName("create") and @@ -192,8 +189,7 @@ predicate createURI(DataFlow::Node node1, DataFlow::Node node2) { predicate createURL(DataFlow::Node node1, DataFlow::Node node2) { exists(URLConstructor cc | node2.asExpr() = cc and - cc.getArgument(0) = node1.asExpr() and - cc.hasHttpStringArg() + cc.getArgument(0) = node1.asExpr() ) } @@ -257,4 +253,4 @@ class BasicAuthFlowConfig extends TaintTracking::Configuration { from DataFlow::PathNode source, DataFlow::PathNode sink, BasicAuthFlowConfig config where config.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Insecure basic authentication from $@.", source.getNode(), - "this user input" + "HTTP url" diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected index d67ca2631ea..7d56cbd5a87 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected +++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected @@ -1,53 +1,43 @@ edges | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | -| InsecureBasicAuth.java:20:39:20:81 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | -| InsecureBasicAuth.java:35:9:35:61 | "http://dashboardHost:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | -| InsecureBasicAuth.java:36:29:36:31 | url : String | InsecureBasicAuth.java:38:3:38:5 | get | +| InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post | -| InsecureBasicAuth.java:46:50:46:55 | uriStr : String | InsecureBasicAuth.java:54:3:54:6 | post | -| InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:70:3:70:6 | post | -| InsecureBasicAuth.java:62:56:62:61 | uriStr : String | InsecureBasicAuth.java:70:3:70:6 | post | -| InsecureBasicAuth.java:77:19:77:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:87:3:87:6 | post | -| InsecureBasicAuth.java:78:58:78:63 | uriStr : String | InsecureBasicAuth.java:87:3:87:6 | post | -| InsecureBasicAuth.java:94:19:94:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:98:28:98:67 | (...)... : URLConnection | -| InsecureBasicAuth.java:97:21:97:26 | urlStr : String | InsecureBasicAuth.java:98:28:98:67 | (...)... : URLConnection | -| InsecureBasicAuth.java:98:28:98:67 | (...)... : URLConnection | InsecureBasicAuth.java:101:3:101:6 | conn | -| InsecureBasicAuth.java:113:21:113:28 | protocol : String | InsecureBasicAuth.java:114:28:114:67 | (...)... : URLConnection | -| InsecureBasicAuth.java:114:28:114:67 | (...)... : URLConnection | InsecureBasicAuth.java:117:3:117:6 | conn | +| InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post | +| InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post | +| InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:102:3:102:6 | post | +| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:119:3:119:6 | post | +| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | +| InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | InsecureBasicAuth.java:133:3:133:6 | conn | +| InsecureBasicAuth.java:145:21:145:28 | protocol : String | InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | +| InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | InsecureBasicAuth.java:149:3:149:6 | conn | nodes | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | semmle.label | ... + ... : String | -| InsecureBasicAuth.java:20:39:20:81 | ... + ... : String | semmle.label | ... + ... : String | | InsecureBasicAuth.java:28:3:28:6 | post | semmle.label | post | -| InsecureBasicAuth.java:35:9:35:61 | "http://dashboardHost:dashboardPort/payment/retrieve" : String | semmle.label | "http://dashboardHost:dashboardPort/payment/retrieve" : String | -| InsecureBasicAuth.java:36:29:36:31 | url : String | semmle.label | url : String | +| InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | semmle.label | "http://www.example.com:dashboardPort/payment/retrieve" : String | | InsecureBasicAuth.java:38:3:38:5 | get | semmle.label | get | | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | -| InsecureBasicAuth.java:46:50:46:55 | uriStr : String | semmle.label | uriStr : String | | InsecureBasicAuth.java:54:3:54:6 | post | semmle.label | post | | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | -| InsecureBasicAuth.java:62:56:62:61 | uriStr : String | semmle.label | uriStr : String | -| InsecureBasicAuth.java:70:3:70:6 | post | semmle.label | post | -| InsecureBasicAuth.java:77:19:77:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | -| InsecureBasicAuth.java:78:58:78:63 | uriStr : String | semmle.label | uriStr : String | -| InsecureBasicAuth.java:87:3:87:6 | post | semmle.label | post | -| InsecureBasicAuth.java:94:19:94:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | -| InsecureBasicAuth.java:97:21:97:26 | urlStr : String | semmle.label | urlStr : String | -| InsecureBasicAuth.java:98:28:98:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection | -| InsecureBasicAuth.java:101:3:101:6 | conn | semmle.label | conn | -| InsecureBasicAuth.java:113:21:113:28 | protocol : String | semmle.label | protocol : String | -| InsecureBasicAuth.java:114:28:114:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection | -| InsecureBasicAuth.java:117:3:117:6 | conn | semmle.label | conn | +| InsecureBasicAuth.java:71:3:71:6 | post | semmle.label | post | +| InsecureBasicAuth.java:78:47:78:52 | "http" : String | semmle.label | "http" : String | +| InsecureBasicAuth.java:86:3:86:6 | post | semmle.label | post | +| InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | +| InsecureBasicAuth.java:102:3:102:6 | post | semmle.label | post | +| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | +| InsecureBasicAuth.java:119:3:119:6 | post | semmle.label | post | +| InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | +| InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection | +| InsecureBasicAuth.java:133:3:133:6 | conn | semmle.label | conn | +| InsecureBasicAuth.java:145:21:145:28 | protocol : String | semmle.label | protocol : String | +| InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection | +| InsecureBasicAuth.java:149:3:149:6 | conn | semmle.label | conn | #select -| InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:52 | ... + ... | this user input | -| InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:81 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:81 | ... + ... | this user input | -| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:9:35:61 | "http://dashboardHost:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:9:35:61 | "http://dashboardHost:dashboardPort/payment/retrieve" | this user input | -| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:36:29:36:31 | url : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:36:29:36:31 | url | this user input | -| InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | this user input | -| InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:46:50:46:55 | uriStr : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:46:50:46:55 | uriStr | this user input | -| InsecureBasicAuth.java:70:3:70:6 | post | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:70:3:70:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | this user input | -| InsecureBasicAuth.java:70:3:70:6 | post | InsecureBasicAuth.java:62:56:62:61 | uriStr : String | InsecureBasicAuth.java:70:3:70:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:62:56:62:61 | uriStr | this user input | -| InsecureBasicAuth.java:87:3:87:6 | post | InsecureBasicAuth.java:77:19:77:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:87:3:87:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:77:19:77:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | this user input | -| InsecureBasicAuth.java:87:3:87:6 | post | InsecureBasicAuth.java:78:58:78:63 | uriStr : String | InsecureBasicAuth.java:87:3:87:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:78:58:78:63 | uriStr | this user input | -| InsecureBasicAuth.java:101:3:101:6 | conn | InsecureBasicAuth.java:94:19:94:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:101:3:101:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:94:19:94:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | this user input | -| InsecureBasicAuth.java:101:3:101:6 | conn | InsecureBasicAuth.java:97:21:97:26 | urlStr : String | InsecureBasicAuth.java:101:3:101:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:97:21:97:26 | urlStr | this user input | -| InsecureBasicAuth.java:117:3:117:6 | conn | InsecureBasicAuth.java:113:21:113:28 | protocol : String | InsecureBasicAuth.java:117:3:117:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:113:21:113:28 | protocol | this user input | +| InsecureBasicAuth.java:28:3:28:6 | post | InsecureBasicAuth.java:20:39:20:52 | ... + ... : String | InsecureBasicAuth.java:28:3:28:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:20:39:20:52 | ... + ... | HTTP url | +| InsecureBasicAuth.java:38:3:38:5 | get | InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" : String | InsecureBasicAuth.java:38:3:38:5 | get | Insecure basic authentication from $@. | InsecureBasicAuth.java:35:19:35:73 | "http://www.example.com:dashboardPort/payment/retrieve" | HTTP url | +| InsecureBasicAuth.java:54:3:54:6 | post | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:54:3:54:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:45:19:45:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url | +| InsecureBasicAuth.java:71:3:71:6 | post | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:71:3:71:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:61:19:61:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url | +| InsecureBasicAuth.java:86:3:86:6 | post | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:78:47:78:52 | "http" | HTTP url | +| InsecureBasicAuth.java:102:3:102:6 | post | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:102:3:102:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url | +| InsecureBasicAuth.java:119:3:119:6 | post | InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:119:3:119:6 | post | Insecure basic authentication from $@. | InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url | +| InsecureBasicAuth.java:133:3:133:6 | conn | InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:133:3:133:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" | HTTP url | +| InsecureBasicAuth.java:149:3:149:6 | conn | InsecureBasicAuth.java:145:21:145:28 | protocol : String | InsecureBasicAuth.java:149:3:149:6 | conn | Insecure basic authentication from $@. | InsecureBasicAuth.java:145:21:145:28 | protocol | HTTP url | diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java index fcc339d85da..f9e6511a2b0 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java +++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.java @@ -32,8 +32,8 @@ public class InsecureBasicAuth { * Test basic authentication with Apache HTTP GET request. */ public void testApacheHttpRequest2(String url) throws java.io.IOException { - url = "http://dashboardHost:dashboardPort/payment/retrieve"; - HttpGet get = new HttpGet(url); + String urlStr = "http://www.example.com:dashboardPort/payment/retrieve"; + HttpGet get = new HttpGet(urlStr); get.setHeader("Accept", "application/json"); get.setHeader("Authorization", "Basic " + new String(Base64.getEncoder().encode("admin:test".getBytes()))); } @@ -55,9 +55,41 @@ public class InsecureBasicAuth { } /** - * Test basic authentication with Apache HTTP `BasicHttpRequest` using string constructor. + * Test basic authentication with Apache HTTP POST request using the URI constructor with one argument. */ public void testApacheHttpRequest4(String username, String password) { + String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; + URI uri = new URI(uriStr); + HttpRequestBase post = new HttpPost(uri); + post.setHeader("Accept", "application/json"); + post.setHeader("Content-type", "application/json"); + + String authString = username + ":" + password; + byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes()); + String authStringEnc = new String(authEncBytes); + + post.addHeader("Authorization", "Basic " + authStringEnc); + } + + /** + * Test basic authentication with Apache HTTP POST request using a URI constructor with multiple arguments. + */ + public void testApacheHttpRequest5(String username, String password) { + HttpRequestBase post = new HttpPost(new URI("http", "www.example.com", "/test", "abc=123", null)); + post.setHeader("Accept", "application/json"); + post.setHeader("Content-type", "application/json"); + + String authString = username + ":" + password; + byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes()); + String authStringEnc = new String(authEncBytes); + + post.addHeader("Authorization", "Basic " + authStringEnc); + } + + /** + * Test basic authentication with Apache HTTP `BasicHttpRequest` using string constructor. + */ + public void testApacheHttpRequest6(String username, String password) { String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; BasicHttpRequest post = new BasicHttpRequest("POST", uriStr); post.setHeader("Accept", "application/json"); @@ -73,7 +105,7 @@ public class InsecureBasicAuth { /** * Test basic authentication with Apache HTTP `BasicHttpRequest` using `RequestLine`. */ - public void testApacheHttpRequest5(String username, String password) { + public void testApacheHttpRequest7(String username, String password) { String uriStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; RequestLine requestLine = new BasicRequestLine("POST", uriStr, null); BasicHttpRequest post = new BasicHttpRequest(requestLine);