hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
f5b17b0b48331dbf7b8ee7dc040cf85cd37dfeca
codeql/java/ql/test/query-tests/security/CWE-532/Test.java
MarkLee131 28a6ff208c Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer 
# Conflicts:
#	java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
#	java/ql/test/query-tests/security/CWE-532/Test.java
2026-04-29 20:59:59 +08:00

89 lines
4.5 KiB
Java
Raw Blame History

import org.apache.logging.log4j.Logger;
class Test {
void test(String password, String authToken, String username, String nullToken, String stringTokenizer) {
Logger logger = null;
int zero = 0;
int four = 4;
short zeroS = 0;
long fourL = 4L;
logger.info("User's password is: " + password); // $ Alert
logger.error("Auth failed for: " + authToken); // $ Alert
logger.error("Auth failed for: " + username); // Safe
logger.error("Auth failed for: " + nullToken); // Safe
logger.error("Auth failed for: " + stringTokenizer); // Safe
logger.error("Auth failed for: " + authToken.substring(4) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(four) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(0,4) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(zero,four) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring((int)zeroS,(int)fourL) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(1,5) + "..."); // $ Alert
logger.error("Auth failed for: " + authToken.substring(0,8) + "..."); // $ Alert
}
// Tests for hash/encryption sanitizer
void testHashSanitizer(String password, String authToken) {
Logger logger = null;
logger.info("hash: " + hashPassword(password)); // Safe - hashed
logger.info("hash: " + sha256Digest(authToken)); // Safe - digested
logger.info("enc: " + encryptValue(password)); // Safe - encrypted
logger.info("pw: " + password); // $ Alert // not hashed
}
// Tests for false positive exclusions: variables with "token" or "secret" in the name
// that do not hold sensitive data.
void testFalsePositiveExclusions(
String nextToken, String pageToken, String continuationToken, String cursorToken,
String tokenType, String tokenEndpoint, String tokenCount, String tokenUrl,
String tokenIndex, String tokenLength, String tokenName, String tokenId,
String secretName, String secretId, String secretVersion, String secretArn,
String secretPath, String secretType,
String secretManager, String secretProperties
) {
Logger logger = null;
// Pagination/iteration tokens (e.g., AWS SDK, GCP, Azure pagination cursors)
logger.info("cursor: " + nextToken); // Safe
logger.info("cursor: " + pageToken); // Safe
logger.info("cursor: " + continuationToken); // Safe
logger.info("cursor: " + cursorToken); // Safe
// Token metadata (e.g., OAuth token type, OIDC discovery endpoint)
logger.info("type: " + tokenType); // Safe
logger.info("endpoint: " + tokenEndpoint); // Safe
logger.info("count: " + tokenCount); // Safe
logger.info("url: " + tokenUrl); // Safe
logger.info("index: " + tokenIndex); // Safe
logger.info("length: " + tokenLength); // Safe
logger.info("name: " + tokenName); // Safe
logger.info("id: " + tokenId); // Safe
// Secret metadata (e.g., K8s secret name, AWS Secrets Manager identifiers)
logger.info("name: " + secretName); // Safe
logger.info("id: " + secretId); // Safe
logger.info("version: " + secretVersion); // Safe
logger.info("arn: " + secretArn); // Safe
logger.info("path: " + secretPath); // Safe
logger.info("type: " + secretType); // Safe
logger.info("manager: " + secretManager); // Safe
logger.info("properties: " + secretProperties); // Safe
}
// These should still be flagged as sensitive
void testTruePositives(String accessToken, String clientSecret, String apiSecret,
String sessionToken, String bearerToken, String secretKey,
String refreshToken, String secretValue) {
Logger logger = null;
logger.info("token: " + accessToken); // $ Alert
logger.info("secret: " + clientSecret); // $ Alert
logger.info("secret: " + apiSecret); // $ Alert
logger.info("token: " + sessionToken); // $ Alert
logger.info("token: " + bearerToken); // $ Alert
logger.info("key: " + secretKey); // $ Alert
logger.info("token: " + refreshToken); // $ Alert
logger.info("value: " + secretValue); // $ Alert
}
static String hashPassword(String input) { return input; }
static String sha256Digest(String input) { return input; }
static String encryptValue(String input) { return input; }
}
Reference in New Issue View Git Blame Copy Permalink