passwordauthentication-hardcoded-password-java

Sakshis · Sakshis · commit 57a0547070d0 · 2024-12-11T06:33:13.000Z
diff --git a/rules/java/security/passwordauthentication-hardcoded-password-java.yml b/rules/java/security/passwordauthentication-hardcoded-password-java.yml
@@ -0,0 +1,109 @@
+id: passwordauthentication-hardcoded-password-java
+language: java
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A05:2021]: Identification and Authentication Failures
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  match_string_literal:
+    kind: string_literal
+    inside:
+      stopBy: end
+      kind: method_invocation
+      all:
+        - has:
+            stopBy: end
+            kind: identifier
+            field: name
+            regex: "^toCharArray$"
+        - has:
+            stopBy: end
+            kind: argument_list
+            field: arguments
+      inside:
+        stopBy: end
+        kind: argument_list
+        inside:
+          stopBy: end
+          kind: object_creation_expression
+          has:
+            stopBy: end
+            kind: type_identifier
+            field: type
+            regex: "^PasswordAuthentication$"
+  match_identifier_in_argumentlist:
+    kind: identifier
+    pattern: $ASDF
+    inside:
+      stopBy: end
+      kind: argument_list
+      has:
+        stopBy: end
+        kind: string_literal
+      inside:
+        stopBy: end
+        kind: object_creation_expression
+        has:
+          stopBy: end
+          kind: type_identifier
+          field: type
+          regex: "^PasswordAuthentication$"
+        inside:
+          stopBy: end
+          kind: expression_statement
+          follows:
+            stopBy: end
+            kind: local_variable_declaration
+            all:
+              - has:
+                  stopBy: end
+                  kind: array_type
+                  field: type
+                  all:
+                    - has:
+                        stopBy: end
+                        kind: integral_type
+                        field: element
+                    - has:
+                        stopBy: end
+                        kind: dimensions
+                        field: dimensions
+              - has:
+                  stopBy: end
+                  kind: variable_declarator
+                  field: declarator
+                  all:
+                    - has:
+                        stopBy: end
+                        kind: identifier
+                        pattern: $ASDF
+                    - has:
+                        stopBy: end
+                        kind: method_invocation
+                        all:
+                          - has:
+                              stopBy: end
+                              kind: string_literal
+                              field: object
+                          - has:
+                              stopBy: end
+                              kind: identifier
+                              field: name
+                              regex: "^toCharArray$"
+                          - has:
+                              stopBy: end
+                              kind: argument_list
+                              field: arguments
+
+rule:
+  any:
+    - matches: match_string_literal
+    - matches: match_identifier_in_argumentlist
diff --git a/tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml b/tests/__snapshots__/passwordauthentication-hardcoded-password-java-snapshot.yml
@@ -0,0 +1,44 @@
+id: passwordauthentication-hardcoded-password-java
+snapshots:
+  ? |
+    import java.net.http.HttpRequest;
+    import java.net.PasswordAuthentication;
+    var authClient = HttpClient
+    .newBuilder()
+    .authenticator(new Authenticator() {
+    @Override
+    protected PasswordAuthentication getPasswordAuthentication() {
+    new PasswordAuthentication("postman", "password".toCharArray());
+    char[] asdf = "password".toCharArray()
+    new PasswordAuthentication("postman", asdf);
+    new PasswordAuthentication("postman", "password");
+    }
+  : labels:
+    - source: '"password"'
+      style: primary
+      start: 264
+      end: 274
+    - source: toCharArray
+      style: secondary
+      start: 275
+      end: 286
+    - source: ()
+      style: secondary
+      start: 286
+      end: 288
+    - source: PasswordAuthentication
+      style: secondary
+      start: 230
+      end: 252
+    - source: new PasswordAuthentication("postman", "password".toCharArray())
+      style: secondary
+      start: 226
+      end: 289
+    - source: ("postman", "password".toCharArray())
+      style: secondary
+      start: 252
+      end: 289
+    - source: '"password".toCharArray()'
+      style: secondary
+      start: 264
+      end: 288
diff --git a/tests/java/passwordauthentication-hardcoded-password-java-test.yml b/tests/java/passwordauthentication-hardcoded-password-java-test.yml
@@ -0,0 +1,18 @@
+id: passwordauthentication-hardcoded-password-java
+valid:
+  - |
+    new PasswordAuthentication("postman", "password");
+invalid:
+  - |
+    import java.net.http.HttpRequest;
+    import java.net.PasswordAuthentication;
+    var authClient = HttpClient
+    .newBuilder()
+    .authenticator(new Authenticator() {
+    @Override
+    protected PasswordAuthentication getPasswordAuthentication() {
+    new PasswordAuthentication("postman", "password".toCharArray());
+    char[] asdf = "password".toCharArray()
+    new PasswordAuthentication("postman", asdf);
+    new PasswordAuthentication("postman", "password");
+    }
