Remove LoadCredentialsConfiguration and update qldoc

luchua-bc · luchua-bc · commit 4e3791dc0d05 · 2021-04-09T19:36:35.000Z
diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll b/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll
@@ -40,68 +40,24 @@ predicate isNotCleartextCredentials(string value) {
   value.toLowerCase().matches(possibleSecretName())
 }
 
-/** The credentials configuration property. */
+/** A configuration property that appears to contain a cleartext secret. */
 class CredentialsConfig extends ConfigPair {
   CredentialsConfig() {
     this.getNameElement().getName().trim().toLowerCase().matches(possibleSecretName()) and
     not this.getNameElement().getName().trim().toLowerCase().matches(possibleEncryptedSecretName()) and
     not isNotCleartextCredentials(this.getValueElement().getValue().trim())
   }
 
+  /** Gets the whitespace-trimmed name of this property. */
   string getName() { result = this.getNameElement().getName().trim() }
 
+  /** Gets the whitespace-trimmed value of this property. */
   string getValue() { result = this.getValueElement().getValue().trim() }
 
   /** Returns a description of this vulnerability. */
   string getConfigDesc() {
-    exists(
-      // getProperty(...)
-      LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink, MethodAccess ma
-    |
-      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
-      cc.hasFlow(source, sink) and
-      ma.getArgument(0) = sink.asExpr() and
-      result = "Plaintext credentials " + this.getName() + " are loaded in Java Properties " + ma
-    )
-    or
-    exists(
-      // @Value("${mail.password}")
-      Annotation a
-    |
-      a.getType().hasQualifiedName("org.springframework.beans.factory.annotation", "Value") and
-      a.getAValue().(CompileTimeConstantExpr).getStringValue() = "${" + this.getName() + "}" and
-      result = "Plaintext credentials " + this.getName() + " are loaded in Spring annotation " + a
-    )
-    or
-    not exists(LoadCredentialsConfiguration cc, DataFlow::Node source, DataFlow::Node sink |
-      this.getName() = source.asExpr().(CompileTimeConstantExpr).getStringValue() and
-      cc.hasFlow(source, sink)
-    ) and
-    not exists(Annotation a |
-      a.getType().hasQualifiedName("org.springframework.beans.factory.annotation", "Value") and
-      a.getAValue().(CompileTimeConstantExpr).getStringValue() = "${" + this.getName() + "}"
-    ) and
     result =
       "Plaintext credentials " + this.getName() + " have cleartext value " + this.getValue() +
         " in properties file"
   }
 }
-
-/**
- * A dataflow configuration tracking flow of cleartext credentials stored in a properties file
- *  to a `Properties.getProperty(...)` method call.
- */
-class LoadCredentialsConfiguration extends DataFlow::Configuration {
-  LoadCredentialsConfiguration() { this = "LoadCredentialsConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(CredentialsConfig cc |
-      source.asExpr().(CompileTimeConstantExpr).getStringValue() = cc.getName()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() =
-      any(MethodAccess ma | ma.getMethod() instanceof PropertiesGetPropertyMethod).getArgument(0)
-  }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected b/java/ql/test/experimental/query-tests/security/CWE-555/CredentialsInPropertiesFile.expected
@@ -1,5 +1,5 @@
-| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password are loaded in Java Properties getProperty(...) |
-| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password are loaded in Java Properties getProperty(...) |
-| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password are loaded in Spring annotation Value |
-| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key are loaded in Java Properties getProperty(...) |
-| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key are loaded in Java Properties getProperty(...) |
+| configuration.properties:6:1:6:25 | ldap.password=mysecpass | Plaintext credentials ldap.password have cleartext value mysecpass in properties file |
+| configuration.properties:18:1:18:35 | datasource1.password=Passw0rd@123 | Plaintext credentials datasource1.password have cleartext value Passw0rd@123 in properties file |
+| configuration.properties:25:1:25:31 | mail.password=MysecPWxWa@1993 | Plaintext credentials mail.password have cleartext value MysecPWxWa@1993 in properties file |
+| configuration.properties:33:1:33:50 | com.example.aws.s3.access_key=AKMAMQPBYMCD6YSAYCBA | Plaintext credentials com.example.aws.s3.access_key have cleartext value AKMAMQPBYMCD6YSAYCBA in properties file |
+| configuration.properties:34:1:34:70 | com.example.aws.s3.secret_key=8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k | Plaintext credentials com.example.aws.s3.secret_key have cleartext value 8lMPSfWzZq+wcWtck5+QPLOJDZzE783pS09/IO3k in properties file |
