Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Extract module HardcodedCredentials from CWE-798 #3992

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Java: Extract module HardcodedCredentials from CWE-798 #3992

wants to merge 6 commits into from

Conversation

rvermeulen
Copy link
Contributor

This PR needs some scrutinizing.

In this change we:

  • Move the module HardcodedCredentials to an importable location
  • Rename the module SensitiveApi to CredentialReceivingApi and move it to an importable location
  • Extend the CredentialSink from DataFlow::Expr instead of Expr
  • Generalize UsernameVariable and PasswordVariable

@rvermeulen
Move HardcodedCredentials and SensitiveApi libs
431e231 
The SensitiveApi library is renamed to CredentialReceivingApi to specify
its usage, because without context sensitive api is too general.
@rvermeulen
Extend credential sink from dataflow expr
d1b383e
@rvermeulen
Add top-level qldoc describing the modules
6be583e
@rvermeulen
Generalize the UsernameVariable and PasswordVariable
2c76c01 
This enables customizations to extend the notion of a username or
password variable.
@rvermeulen rvermeulen requested a review from a team as a code owner July 30, 2020 11:11
@rvermeulen @intrigus-lgtm
Fix punctuation and typo
d52c070 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
aschackmull
aschackmull reviewed Aug 6, 2020
View reviewed changes
java/ql/src/semmle/code/java/security/HardcodedCredentials.qll
*/
abstract class CredentialsSink extends Expr {
/** An argument to a sensitive call, expected to contain credentials. */
abstract class CredentialsSink extends DataFlow::Expr {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
abstract class CredentialsSink extends DataFlow::Expr {
abstract class CredentialsSink extends Expr {

The type Expr is not intentionally exposed through the DataFlow module (though with all the import java statements it's no surprise that it slipped in).

@aschackmull
Copy link
Contributor

What is the use case for this PR? Which of the queries need support for extension and in which ways? And which parts of the moved library are expected to be re-usable in other contexts outside the CWE-798 queries?
Without reasonable use cases, I think we should leave the library where it is.

@rvermeulen
Copy link
Contributor Author

For this case there is no immediate use case. I'm making all possible extension points (e.g, source, sinks, ...) in the Security/CWE/* available to customization via Customizations.qll to prevent query duplication if we need to extend a CWE query. This should help if there are cases where closed source CredentialSink instances need to be modeled for example.

@aschackmull
Copy link
Contributor

I'm making all possible extension points

In general, queries have an infinite number of possible extension points, although I agree that for most cases it comes down to source and sink extensions.

The way these queries are made, means that there's an implicit assumption that CredentialsSink consists of just two cases: Sinks defined in the source CredentialsSourceSink and sinks defined outside the source CredentialsApiSink. So CredentialsSink shouldn't really be exposed as an abstract class, as this suggests an extension point, which would invalidate this assumption. If a closed-source credential sink needs to be added, then it is the CredentialsApiSink that should be extended.

@rvermeulen
Copy link
Contributor Author

I'm making all possible extension points

In general, queries have an infinite number of possible extension points, although I agree that for most cases it comes down to source and sink extensions.

True, I indeed mean the more common cases.

The way these queries are made, means that there's an implicit assumption that CredentialsSink consists of just two cases: > Sinks defined in the source CredentialsSourceSink and sinks defined outside the source CredentialsApiSink. So CredentialsSink shouldn't really be exposed as an abstract class, as this suggests an extension point, which would invalidate > this assumption. If a closed-source credential sink needs to be added, then it is the CredentialsApiSink that should be extended.

Clear, I agree that CredentialsApiSink should be the only exposed point of extension. Given how it is now structured I need to give this some more thought since both the abstract CredentialsSink as its subclasses are directly referenced.

@rvermeulen rvermeulen marked this pull request as draft August 6, 2020 12:17
@adityasharad adityasharad changed the base branch from master to main August 14, 2020 18:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull

@intrigus-lgtm intrigus-lgtm

Copilot code review Copilot

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rvermeulen @aschackmull @intrigus-lgtm