From 9affa157b6db4f1aa1a8c5da601c4be3c8b0ae03 Mon Sep 17 00:00:00 2001 From: luchua-bc Date: Tue, 2 Jun 2020 03:21:27 +0000 Subject: [PATCH 1/3] Add Log4J 2 and a new search string secret --- java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql index d42ce25a46f9..39207936c0c9 100644 --- a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql +++ b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql @@ -17,7 +17,7 @@ import PathGraph */ private string getACredentialRegex() { result = "(?i).*challenge|pass(wd|word|code|phrase)(?!.*question).*" or - result = "(?i)(.*username|url).*" + result = "(?i)(.*username|.*secret|url).*" } /** Variable keeps sensitive information judging by its name * */ @@ -31,6 +31,7 @@ class CredentialExpr extends Expr { class LoggerType extends RefType { LoggerType() { this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J + this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4J 2 this.hasQualifiedName("org.slf4j", "Logger") or //SLF4j and Gradle Logging this.hasQualifiedName("org.jboss.logging", "BasicLogger") //JBoss Logging } From 6d329bce6e375f313339b288e19acd0ad2d33739 Mon Sep 17 00:00:00 2001 From: luchua-bc Date: Fri, 3 Jul 2020 01:13:11 +0000 Subject: [PATCH 2/3] Add Apache Commons Logging and debugv method --- java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql index 39207936c0c9..3d82ebb2a0b1 100644 --- a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql +++ b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql @@ -31,9 +31,10 @@ class CredentialExpr extends Expr { class LoggerType extends RefType { LoggerType() { this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J - this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4J 2 + this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4j 2 this.hasQualifiedName("org.slf4j", "Logger") or //SLF4j and Gradle Logging - this.hasQualifiedName("org.jboss.logging", "BasicLogger") //JBoss Logging + this.hasQualifiedName("org.jboss.logging", "Logger") or //JBoss Logging + this.hasQualifiedName("org.apache.commons.logging", "Log") //Apache Commons Logging } } @@ -43,7 +44,8 @@ predicate isSensitiveLoggingSink(DataFlow::Node sink) { ( ma.getMethod().hasName("debug") or ma.getMethod().hasName("trace") or - ma.getMethod().hasName("debugf") + ma.getMethod().hasName("debugf") or + ma.getMethod().hasName("debugv") ) and //Check low priority log levels which are more likely to be real issues to reduce false positives sink.asExpr() = ma.getAnArgument() ) From d6e9b07a9ea83ced6d025e3c787ce20579433b82 Mon Sep 17 00:00:00 2001 From: luchua-bc Date: Fri, 3 Jul 2020 22:34:48 +0000 Subject: [PATCH 3/3] Add JBoss BasicLogger and SciJava Logger --- java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql index 3d82ebb2a0b1..b2ec0564e97a 100644 --- a/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql +++ b/java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql @@ -31,10 +31,12 @@ class CredentialExpr extends Expr { class LoggerType extends RefType { LoggerType() { this.hasQualifiedName("org.apache.log4j", "Category") or //Log4J - this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4j 2 + this.hasQualifiedName("org.apache.logging.log4j", "Logger") or //Log4J 2 this.hasQualifiedName("org.slf4j", "Logger") or //SLF4j and Gradle Logging - this.hasQualifiedName("org.jboss.logging", "Logger") or //JBoss Logging - this.hasQualifiedName("org.apache.commons.logging", "Log") //Apache Commons Logging + this.hasQualifiedName("org.jboss.logging", "BasicLogger") or //JBoss Logging + this.hasQualifiedName("org.jboss.logging", "Logger") or //JBoss Logging (`org.jboss.logging.Logger` in some implementations like JBoss Application Server 4.0.4 did not implement `BasicLogger`) + this.hasQualifiedName("org.apache.commons.logging", "Log") or //Apache Commons Logging + this.hasQualifiedName("org.scijava.log", "Logger") //SciJava Logging } }