mirror of
https://github.com/github/codeql.git
synced 2026-03-01 13:23:49 +01:00
b62e9dc92c
Specifically Apache sshd defines its sensitive api calls on an inherited interface, and they need to be described that way for us to pick them up.
40 lines
1.3 KiB
Java
40 lines
1.3 KiB
Java
import org.apache.shiro.web.mgt.CookieRememberMeManager;
|
|
|
|
|
|
public class HardcodedShiroKey {
|
|
|
|
//BAD: hard-coded shiro key
|
|
public void testHardcodedShiroKey(String input) {
|
|
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
|
|
cookieRememberMeManager.setCipherKey("TEST123".getBytes()); // $ HardcodedCredentialsApiCall
|
|
|
|
}
|
|
|
|
|
|
//BAD: hard-coded shiro key encoded by java.util.Base64
|
|
public void testHardcodedbase64ShiroKey1(String input) {
|
|
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
|
|
java.util.Base64.Decoder decoder = java.util.Base64.getDecoder();
|
|
cookieRememberMeManager.setCipherKey(decoder.decode("4AvVhmFLUs0KTA3Kprsdag==")); // $ HardcodedCredentialsApiCall
|
|
|
|
}
|
|
|
|
|
|
//BAD: hard-coded shiro key encoded by org.apache.shiro.codec.Base64
|
|
public void testHardcodedbase64ShiroKey2(String input) {
|
|
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
|
|
cookieRememberMeManager.setCipherKey(org.apache.shiro.codec.Base64.decode("6ZmI6I2j5Y+R5aSn5ZOlAA==")); // $ HardcodedCredentialsApiCall
|
|
|
|
}
|
|
|
|
//GOOD: random shiro key
|
|
public void testRandomShiroKey(String input) {
|
|
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
} |