github · egregius313 · Oct 31, 2023 · Aug 11, 2023 · Aug 11, 2023 · Aug 11, 2023
@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* In `SensitiveApi.qll`, `javaApiCallablePasswordParam`, `javaApiCallableUsernameParam`, `javaApiCallableCryptoKeyParam`, and `otherApiCallableCredentialParam` predicates have been deprecated. They have been replaced with a new class `CredentialsSinkNode` and its child classes `PasswordSink`, `UsernameSink`, and `CryptoKeySink`. The predicates have been changed to using the new classes, so there may be minor changes in results relying on these predicates.
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["ch.ethz.ssh2", "Connection", False, "authenticateWithPassword", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["ch.ethz.ssh2", "Connection", False, "authenticateWithPassword", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.amazonaws.auth", "BasicAWSCredentials", False, "BasicAWSCredentials", "(String,String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.amazonaws.auth", "BasicAWSCredentials", False, "BasicAWSCredentials", "(String,String)", "", "Argument[1]", "credentials-key", "manual"]
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC256", "(String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC256", "(byte[])", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC384", "(String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC384", "(byte[])", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC512", "(String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC512", "(byte[])", "", "Argument[0]", "credentials-key", "manual"]
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.azure.identity", "ClientSecretCredentialBuilder", False, "clientSecret", "(String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.azure.identity", "UsernamePasswordCredentialBuilder", False, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.azure.identity", "UsernamePasswordCredentialBuilder", False, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
@@ -4,6 +4,10 @@ extensions:
       extensible: sinkModel
     data:
       - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[1]", "request-forgery", "ai-manual"]
+      - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.jcraft.jsch", "Session", False, "setPassword", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.jcraft.jsch", "Session", False, "setPassword", "(byte[])", "", "Argument[0]", "credentials-password", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.microsoft.sqlserver.jdbc", "SQLServerDataSource", False, "getConnection", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.microsoft.sqlserver.jdbc", "SQLServerDataSource", False, "getConnection", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.microsoft.sqlserver.jdbc", "SQLServerDataSource", False, "setPassword", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.microsoft.sqlserver.jdbc", "SQLServerDataSource", False, "setUser", "(String)", "", "Argument[0]", "credentials-username", "manual"]
@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.mongodb", "MongoCredential", False, "createCredential", "(String,String,char[])", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createCredential", "(String,String,char[])", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createGSSAPICredential", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createMongoCRCredential", "(String,String,char[])", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createMongoCRCredential", "(String,String,char[])", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createMongoX509Credential", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createPlainCredential", "(String,String,char[])", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createPlainCredential", "(String,String,char[])", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createScramSha1Credential", "(String,String,char[])", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createScramSha1Credential", "(String,String,char[])", "", "Argument[2]", "credentials-password", "manual"]
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sshtools.j2ssh.authentication", "PasswordAuthenticationClient", False, "setPassword", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.sshtools.j2ssh.authentication", "PasswordAuthenticationClient", True, "setUsername", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.sshtools.j2ssh.authentication", "SshAuthenticationClient", True, "setUsername", "(String)", "", "Argument[0]", "credentials-username", "manual"]
@@ -0,0 +1,24 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.crypto.provider", "JceKeyStore", False, "getPreKeyedHash", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["com.sun.crypto.provider", "KeyProtector", False, "KeyProtector", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["com.sun.crypto.provider", "CipherCore", False, "unwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESCrypt", False, "expandKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESKey", False, "DESKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESKey", False, "DESKey", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESKeyGenerator", False, "setParityBit", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESedeKey", False, "DESedeKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESedeKey", False, "DESedeKey", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DHPrivateKey", False, "DHPrivateKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DHPublicKey", False, "DHPublicKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "FeedbackCipher", True, "init", "(boolean,String,byte[],byte[])", "", "Argument[2]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "GaloisCounterMode", False, "init", "(boolean,String,byte[],byte[])", "", "Argument[2]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "GaloisCounterMode", False, "init", "(boolean,String,byte[],byte[],int)", "", "Argument[2]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "PBECipherCore", False, "unwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "PBES1Core", False, "unwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "PKCS12PBECipherCore", False, "implUnwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "SymmetricCipher", True, "init", "(boolean,String,byte[])", "", "Argument[2]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "TlsMasterSecretGenerator$TlsMasterSecretKey", False, "TlsMasterSecretKey", "(byte[],int,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.jndi.ldap", "DigestClientId", False, "DigestClientId", "(int,String,int,String,Control[],OutputStream,String,String,Object,Hashtable)", "", "Argument[7]", "credentials-username", "hq-generated"]
+      - ["com.sun.jndi.ldap", "LdapClient", False, "getInstance", "(boolean,String,int,String,int,int,OutputStream,int,String,Control[],String,String,Object,Hashtable)", "", "Argument[11]", "credentials-username", "hq-generated"]
+      - ["com.sun.jndi.ldap", "LdapPoolManager", False, "getLdapClient", "(String,int,String,int,int,OutputStream,int,String,Control[],String,String,Object,Hashtable)", "", "Argument[10]", "credentials-username", "hq-generated"]
+      - ["com.sun.jndi.ldap", "SimpleClientId", False, "SimpleClientId", "(int,String,int,String,Control[],OutputStream,String,String,Object)", "", "Argument[7]", "credentials-username", "hq-generated"]
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.net.httpserver", "BasicAuthenticator", False, "checkCredentials", "(String,String)", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["com.sun.net.httpserver", "BasicAuthenticator", False, "checkCredentials", "(String,String)", "", "Argument[0]", "credentials-username", "hq-generated"]
+      - ["com.sun.net.httpserver", "HttpPrincipal", False, "HttpPrincipal", "(String,String)", "", "Argument[0]", "credentials-username", "hq-generated"]
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.net.ssl", "KeyManagerFactory", False, "init", "(KeyStore,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["com.sun.net.ssl", "KeyManagerFactorySpi", False, "engineInit", "(KeyStore,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["com.sun.net.ssl", "KeyManagerFactorySpiWrapper", False, "engineInit", "(KeyStore,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.rowset", "JdbcRowSetImpl", False, "JdbcRowSetImpl", "(String,String,String)", "", "Argument[2]", "credentials-password", "hq-generated"]
+      - ["com.sun.rowset", "JdbcRowSetImpl", False, "setPassword", "(String)", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["com.sun.rowset", "JdbcRowSetImpl", False, "JdbcRowSetImpl", "(String,String,String)", "", "Argument[1]", "credentials-username", "hq-generated"]
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.security.auth.module", "JndiLoginModule", False, "verifyPassword", "(String,String)", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["com.sun.security.auth.module", "JndiLoginModule", False, "verifyPassword", "(String,String)", "", "Argument[1]", "credentials-password", "hq-generated"]
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.security.ntlm", "Client", False, "Client", "(String,String,String,String,char[])", "", "Argument[4]", "credentials-password", "hq-generated"]
+      - ["com.sun.security.ntlm", "NTLM", False, "getP1", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["com.sun.security.ntlm", "NTLM", False, "getP2", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["com.sun.security.ntlm", "Client", False, "Client", "(String,String,String,String,char[])", "", "Argument[2]", "credentials-username", "hq-generated"]
+      - ["com.sun.security.ntlm", "Server", False, "getPassword", "(String,String)", "", "Argument[1]", "credentials-username", "hq-generated"]
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.security.sasl.digest", "DigestMD5Base", False, "generateResponseValue", "(String,String,String,String,String,char[],byte[],byte[],int,byte[])", "", "Argument[5]", "credentials-password", "hq-generated"]
+      - ["com.sun.security.sasl.digest", "DigestMD5Server", False, "generateResponseAuth", "(String,char[],byte[],int,byte[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["com.sun.security.sasl.digest", "DigestMD5Server", False, "generateResponseAuth", "(String,char[],byte[],int,byte[])", "", "Argument[0]", "credentials-username", "hq-generated"]
@@ -0,0 +1,18 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithDSA", "(String,String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithDSA", "(String,String,String)", "", "Argument[1]", "credentials-key", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithDSA", "(String,String,String)", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithNone", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithPassword", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithPassword", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithPublicKey", "(String,char[],String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithPublicKey", "(String,File,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithPublicKey", "(String,char[],String)", "", "Argument[1]", "credentials-key", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithPublicKey", "(String,char[],String)", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "authenticateWithPublicKey", "(String,File,String)", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "getRemainingAuthMethods", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.trilead.ssh2", "Connection", False, "isAuthMethodAvailable", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
@@ -10,6 +10,7 @@ extensions:
       extensible: sinkModel
     data:
       - ["java.net", "DatagramSocket", True, "connect", "(SocketAddress)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
       - ["java.net", "Socket", True, "Socket", "(String,int)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["java.net", "URL", False, "openConnection", "", "", "Argument[this]", "request-forgery", "manual"]
       - ["java.net", "URL", False, "openConnection", "(Proxy)", "", "Argument[0]", "request-forgery", "ai-manual"]
@@ -25,6 +26,7 @@ extensions:
       - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader,URLStreamHandlerFactory)", "", "Argument[0]", "request-forgery", "manual"]
       - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader)", "", "Argument[0]", "request-forgery", "manual"]
       - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[])", "", "Argument[0]", "request-forgery", "manual"]
+      - ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[0]", "credentials-username", "hq-generated"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.security.cert", "X509CertSelector", False, "setSubjectPublicKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
@@ -0,0 +1,17 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.security", "KeyStore", False, "getKey", "(String,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStore", False, "load", "(InputStream,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStore", False, "setKeyEntry", "(String,Key,char[],Certificate[])", "", "Argument[2]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStore", False, "setKeyEntry", "(String,byte[],Certificate[])", "", "Argument[1]", "credentials-key", "hq-generated"]
+      - ["java.security", "KeyStore", False, "store", "(OutputStream,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStore$PasswordProtection", False, "PasswordProtection", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStore$PasswordProtection", False, "PasswordProtection", "(char[],String,AlgorithmParameterSpec)", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStoreSpi", True, "engineGetKey", "(String,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStoreSpi", True, "engineLoad", "(InputStream,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStoreSpi", True, "engineSetKeyEntry", "(String,Key,char[],Certificate[])", "", "Argument[2]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStoreSpi", True, "engineStore", "(OutputStream,char[])", "", "Argument[1]", "credentials-password", "hq-generated"]
+      - ["java.security", "KeyStoreSpi", True, "engineSetKeyEntry", "(String,byte[],Certificate[])", "", "Argument[1]", "credentials-key", "hq-generated"]
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.security.spec", "EncodedKeySpec", False, "EncodedKeySpec", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["java.security.spec", "PKCS8EncodedKeySpec", False, "PKCS8EncodedKeySpec", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["java.security.spec", "X509EncodedKeySpec", False, "X509EncodedKeySpec", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]