Skip to content

Commit 6904461

Browse files
d10cd10c
committed
Java: add CleartextStorageCookie test
Given that it's a non-path-problem dataflow query, the InlineExpectationsTest is not as useful.
1 parent a49999d commit 6904461

File tree

4 files changed

+105
-0
lines changed

4 files changed

+105
-0
lines changed

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.expected

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
| CleartextStorageCookieTest.java:22:7:22:40 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:20:31:20:62 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:20:54:20:61 | password | added to the cookie |
2+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
3+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:21:31:21:38 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
4+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:23:69:23:76 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
5+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:24:46:24:53 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
6+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:33:67:33:74 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
7+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:34:36:34:43 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
8+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:37:84:37:91 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
9+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:38:51:38:58 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
10+
| CleartextStorageCookieTest.java:44:7:44:32 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:43:23:43:51 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:42:40:42:47 | password | sensitive data | CleartextStorageCookieTest.java:43:46:43:50 | value | added to the cookie |
11+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:20:54:20:61 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
12+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:21:31:21:38 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
13+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:23:69:23:76 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
14+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:24:46:24:53 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
15+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:33:67:33:74 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
16+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:34:36:34:43 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
17+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:37:84:37:91 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
18+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:38:51:38:58 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
19+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:42:40:42:47 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
20+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:48:77:48:84 | password | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |
21+
| CleartextStorageCookieTest.java:52:7:52:50 | addCookie(...) | This stores cookie $@ containing $@ which was $@. | CleartextStorageCookieTest.java:52:26:52:49 | new Cookie(...) | new Cookie(...) | CleartextStorageCookieTest.java:49:59:49:83 | getPassword(...) | sensitive data | CleartextStorageCookieTest.java:52:45:52:48 | data | added to the cookie |

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.java

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
import javax.servlet.http.HttpServlet;
2+
import javax.servlet.http.HttpServletResponse;
3+
import javax.servlet.http.Cookie;
4+
import org.owasp.esapi.Encoder;
5+
import java.nio.charset.StandardCharsets;
6+
import java.util.Base64;
7+
import java.security.MessageDigest;
8+
import java.net.PasswordAuthentication;
9+
10+
public class CleartextStorageCookieTest extends HttpServlet {
11+
HttpServletResponse response;
12+
String name = "user";
13+
String password = "BP@ssw0rd"; // $ Source
14+
15+
public void doGet() throws Exception {
16+
{
17+
Cookie nameCookie = new Cookie("name", name);
18+
nameCookie.setValue(name);
19+
response.addCookie(nameCookie); // Safe
20+
Cookie passwordCookie = new Cookie("password", password);
21+
passwordCookie.setValue(password);
22+
response.addCookie(passwordCookie); // $ Alert
23+
Cookie encodedPasswordCookie = new Cookie("password", encrypt(password));
24+
encodedPasswordCookie.setValue(encrypt(password));
25+
response.addCookie(encodedPasswordCookie); // Safe
26+
}
27+
{
28+
io.netty.handler.codec.http.Cookie nettyNameCookie =
29+
new io.netty.handler.codec.http.DefaultCookie("name", name);
30+
nettyNameCookie.setValue(name); // Safe
31+
32+
io.netty.handler.codec.http.Cookie nettyPasswordCookie =
33+
new io.netty.handler.codec.http.DefaultCookie("password", password);
34+
nettyPasswordCookie.setValue(password); // $ MISSING: Alert (netty not supported by query)
35+
36+
io.netty.handler.codec.http.cookie.Cookie nettyEncodedPasswordCookie =
37+
new io.netty.handler.codec.http.cookie.DefaultCookie("password", encrypt(password));
38+
nettyEncodedPasswordCookie.setValue(encrypt(password)); // Safe
39+
}
40+
{
41+
Encoder enc = null;
42+
String value = enc.encodeForHTML(password);
43+
Cookie cookie = new Cookie("password", value);
44+
response.addCookie(cookie); // $ Alert
45+
}
46+
{
47+
String data;
48+
PasswordAuthentication credentials = new PasswordAuthentication(name, password.toCharArray());
49+
data = credentials.getUserName() + ":" + new String(credentials.getPassword());
50+
51+
// BAD: store data in a cookie in cleartext form
52+
response.addCookie(new Cookie("auth", data)); // $ Alert
53+
}
54+
{
55+
String data;
56+
PasswordAuthentication credentials =
57+
new PasswordAuthentication(name, password.toCharArray());
58+
String salt = "ThisIsMySalt";
59+
MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
60+
messageDigest.reset();
61+
String credentialsToHash =
62+
credentials.getUserName() + ":" + new String(credentials.getPassword());
63+
byte[] hashedCredsAsBytes =
64+
messageDigest.digest((salt+credentialsToHash).getBytes("UTF-8"));
65+
data = new String(hashedCredsAsBytes);
66+
67+
// GOOD: store data in a cookie in encrypted form
68+
response.addCookie(new Cookie("auth", data)); // Safe
69+
}
70+
}
71+
72+
73+
private static String encrypt(String cleartext) throws Exception {
74+
MessageDigest digest = MessageDigest.getInstance("SHA-256");
75+
byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
76+
String encoded = Base64.getEncoder().encodeToString(hash);
77+
return encoded;
78+
}
79+
}

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/CleartextStorageCookieTest.qlref

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
query: Security/CWE/CWE-312/CleartextStorageCookie.ql
2+
postprocess:
3+
- utils/test/PrettyPrintModels.ql
4+
- utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/security/CWE-312/CleartextStorageCookie/options

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-lang3-3.7:${testdir}/../../../../stubs/esapi-2.0.1:${testdir}/../../../../stubs/netty-4.1.x

0 commit comments

Comments
 (0)