mirror of
https://github.com/github/codeql.git
synced 2026-01-26 21:02:58 +01:00
46 lines
1.6 KiB
Plaintext
46 lines
1.6 KiB
Plaintext
/** Provides classes and predicates to reason about Insecure Basic Authentication vulnerabilities. */
|
|
|
|
import java
|
|
import semmle.code.java.dataflow.DataFlow
|
|
import semmle.code.java.dataflow.TaintTracking
|
|
import semmle.code.java.security.HttpsUrls
|
|
|
|
/**
|
|
* A source that represents HTTP URLs.
|
|
* Extend this class to add your own Insecure Basic Authentication sources.
|
|
*/
|
|
abstract class InsecureBasicAuthSource extends DataFlow::Node { }
|
|
|
|
/** A default source representing HTTP strings, URLs or URIs. */
|
|
private class DefaultInsecureBasicAuthSource extends InsecureBasicAuthSource {
|
|
DefaultInsecureBasicAuthSource() { this.asExpr() instanceof HttpStringLiteral }
|
|
}
|
|
|
|
/**
|
|
* A sink that represents a method that sets Basic Authentication.
|
|
* Extend this class to add your own Insecure Basic Authentication sinks.
|
|
*/
|
|
abstract class InsecureBasicAuthSink extends DataFlow::Node { }
|
|
|
|
/** A default sink representing methods that set an Authorization header. */
|
|
private class DefaultInsecureBasicAuthSink extends InsecureBasicAuthSink {
|
|
DefaultInsecureBasicAuthSink() {
|
|
exists(MethodAccess ma |
|
|
ma.getMethod().hasName("addHeader") or
|
|
ma.getMethod().hasName("setHeader") or
|
|
ma.getMethod().hasName("setRequestProperty")
|
|
|
|
|
this.asExpr() = ma.getQualifier() and
|
|
ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "Authorization" and
|
|
TaintTracking::localExprTaint(any(BasicAuthString b), ma.getArgument(1))
|
|
)
|
|
}
|
|
}
|
|
|
|
/**
|
|
* String pattern of basic authentication.
|
|
*/
|
|
private class BasicAuthString extends StringLiteral {
|
|
BasicAuthString() { exists(string s | this.getValue() = s | s.matches("Basic %")) }
|
|
}
|