Skip to content

Commit 4c6df3f

Browse files
authored
Merge pull request #12813 from atorralba/atorralba/java/sensitive-expr-fix-and-tests
Java: Add tests for SensitiveActions and fix getCommonSensitiveInfoRegex
2 parents 6968de2 + 4f2ffcc commit 4c6df3f

File tree

5 files changed

+233
-1
lines changed

5 files changed

+233
-1
lines changed
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Fixed a bug in the regular expression used to identify sensitive information in `SensitiveActions::getCommonSensitiveInfoRegex`. This may affect the results of the queries `java/android/sensitive-communication`, `java/android/sensitive-keyboard-cache`, and `java/sensitive-log`.

java/ql/lib/semmle/code/java/security/SensitiveActions.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ private string nonSuspicious() {
3131
* Gets a regular expression for matching common names of variables that indicate the value being held contains sensitive information.
3232
*/
3333
string getCommonSensitiveInfoRegex() {
34-
result = "(?i).*challenge|pass(wd|word|code|phrase)(?!.*question).*" or
34+
result = "(?i).*(challenge|pass(wd|word|code|phrase))(?!.*question).*" or
3535
result = "(?i).*(token|secret).*"
3636
}
3737

Lines changed: 145 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,145 @@
1+
class Test {
2+
3+
private void aaPasswordaa() {}
4+
5+
private void aaPasswdaa() {}
6+
7+
private void aaAccountaa() {}
8+
9+
private void aaAccntaa() {}
10+
11+
private void aaTrustedaa() {}
12+
13+
private void aaRefreshaaTokenaa() {}
14+
15+
private void aaSecretaaTokenaa() {}
16+
17+
private void aaHashedPasswordaa() {}
18+
19+
private void aaHashedPasswdaa() {}
20+
21+
private void aaHashedAccountaa() {}
22+
23+
private void aaHashedAccntaa() {}
24+
25+
private void aaHashedTrustedaa() {}
26+
27+
private void aaHashedRefreshaaTokenaa() {}
28+
29+
private void aaHashedsecretaatokenaa() {}
30+
31+
private void aaCryptPasswordaa() {}
32+
33+
private void aaCryptPasswdaa() {}
34+
35+
private void aaCryptAccountaa() {}
36+
37+
private void aaCryptAccntaa() {}
38+
39+
private void aaCryptTrustedaa() {}
40+
41+
private void aaCryptRefreshaaTokenaa() {}
42+
43+
private void aaCryptSecretaaTokenaa() {}
44+
45+
private void dummy(String dummy) {}
46+
47+
public void suspicious() {
48+
String aaPasswordaa = "";
49+
String aaPasswdaa = "";
50+
String aaAccountaa = "";
51+
String aaAccntaa = "";
52+
String aaTrustedaa = "";
53+
String aaRefreshaaTokenaa = "";
54+
String aaSecretaaTokenaa = "";
55+
dummy(aaPasswordaa);
56+
dummy(aaPasswdaa);
57+
dummy(aaAccountaa);
58+
dummy(aaAccntaa);
59+
dummy(aaTrustedaa);
60+
dummy(aaRefreshaaTokenaa);
61+
dummy(aaSecretaaTokenaa);
62+
aaPasswordaa();
63+
aaPasswdaa();
64+
aaAccountaa();
65+
aaAccntaa();
66+
aaTrustedaa();
67+
aaRefreshaaTokenaa();
68+
aaSecretaaTokenaa();
69+
}
70+
71+
public void nonSuspicious() {
72+
String aaHashedPasswordaa = "";
73+
String aaHashedPasswdaa = "";
74+
String aaHashedAccountaa = "";
75+
String aaHashedAccntaa = "";
76+
String aaHashedTrustedaa = "";
77+
String aaHashedRefreshaaTokenaa = "";
78+
String aaHashedsecretaatokenaa = "";
79+
String aaCryptPasswordaa = "";
80+
String aaCryptPasswdaa = "";
81+
String aaCryptAccountaa = "";
82+
String aaCryptAccntaa = "";
83+
String aaCryptTrustedaa = "";
84+
String aaCryptRefreshaaTokenaa = "";
85+
String aaCryptSecretaaTokenaa = "";
86+
dummy(aaHashedPasswordaa);
87+
dummy(aaHashedPasswdaa);
88+
dummy(aaHashedAccountaa);
89+
dummy(aaHashedAccntaa);
90+
dummy(aaHashedTrustedaa);
91+
dummy(aaHashedRefreshaaTokenaa);
92+
dummy(aaHashedsecretaatokenaa);
93+
dummy(aaCryptPasswordaa);
94+
dummy(aaCryptPasswdaa);
95+
dummy(aaCryptAccountaa);
96+
dummy(aaCryptAccntaa);
97+
dummy(aaCryptTrustedaa);
98+
dummy(aaCryptRefreshaaTokenaa);
99+
dummy(aaCryptSecretaaTokenaa);
100+
aaHashedPasswordaa();
101+
aaHashedPasswdaa();
102+
aaHashedAccountaa();
103+
aaHashedAccntaa();
104+
aaHashedTrustedaa();
105+
aaHashedRefreshaaTokenaa();
106+
aaHashedsecretaatokenaa();
107+
aaCryptPasswordaa();
108+
aaCryptPasswdaa();
109+
aaCryptAccountaa();
110+
aaCryptAccntaa();
111+
aaCryptTrustedaa();
112+
aaCryptRefreshaaTokenaa();
113+
aaCryptSecretaaTokenaa();
114+
}
115+
116+
public void sensitive() {
117+
String aaChallengeaa = "";
118+
String aaPasswdaa = "";
119+
String aaPasswordaa = "";
120+
String aaPasscodeaa = "";
121+
String aaPassphraseaa = "";
122+
String aaTokenaa = "";
123+
String aaSecretaa = "";
124+
dummy(aaChallengeaa);
125+
dummy(aaPasswdaa);
126+
dummy(aaPasswordaa);
127+
dummy(aaPasscodeaa);
128+
dummy(aaPassphraseaa);
129+
dummy(aaTokenaa);
130+
dummy(aaSecretaa);
131+
}
132+
133+
public void nonSensitive() {
134+
String aaChallengeaaQuestionaa = "";
135+
String aaPasswdaaQuestionaa = "";
136+
String aaPasswordaaQuestionaa = "";
137+
String aaPasscodeaaQuestionaa = "";
138+
String aaPassphraseaaQuestionaa = "";
139+
dummy(aaChallengeaaQuestionaa);
140+
dummy(aaPasswdaaQuestionaa);
141+
dummy(aaPasswordaaQuestionaa);
142+
dummy(aaPasscodeaaQuestionaa);
143+
dummy(aaPassphraseaaQuestionaa);
144+
}
145+
}
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
sensitiveMethodAccess
2+
| Test.java:62:9:62:22 | aaPasswordaa(...) |
3+
| Test.java:63:9:63:20 | aaPasswdaa(...) |
4+
| Test.java:64:9:64:21 | aaAccountaa(...) |
5+
| Test.java:65:9:65:19 | aaAccntaa(...) |
6+
| Test.java:66:9:66:21 | aaTrustedaa(...) |
7+
| Test.java:67:9:67:28 | aaRefreshaaTokenaa(...) |
8+
| Test.java:100:9:100:28 | aaHashedPasswordaa(...) |
9+
| Test.java:101:9:101:26 | aaHashedPasswdaa(...) |
10+
| Test.java:102:9:102:27 | aaHashedAccountaa(...) |
11+
| Test.java:103:9:103:25 | aaHashedAccntaa(...) |
12+
| Test.java:104:9:104:27 | aaHashedTrustedaa(...) |
13+
| Test.java:105:9:105:34 | aaHashedRefreshaaTokenaa(...) |
14+
| Test.java:107:9:107:27 | aaCryptPasswordaa(...) |
15+
| Test.java:108:9:108:25 | aaCryptPasswdaa(...) |
16+
| Test.java:109:9:109:26 | aaCryptAccountaa(...) |
17+
| Test.java:110:9:110:24 | aaCryptAccntaa(...) |
18+
| Test.java:111:9:111:26 | aaCryptTrustedaa(...) |
19+
| Test.java:112:9:112:33 | aaCryptRefreshaaTokenaa(...) |
20+
sensitiveVarAccess
21+
| Test.java:55:15:55:26 | aaPasswordaa |
22+
| Test.java:56:15:56:24 | aaPasswdaa |
23+
| Test.java:57:15:57:25 | aaAccountaa |
24+
| Test.java:58:15:58:23 | aaAccntaa |
25+
| Test.java:59:15:59:25 | aaTrustedaa |
26+
| Test.java:60:15:60:32 | aaRefreshaaTokenaa |
27+
| Test.java:125:15:125:24 | aaPasswdaa |
28+
| Test.java:126:15:126:26 | aaPasswordaa |
29+
| Test.java:140:15:140:34 | aaPasswdaaQuestionaa |
30+
| Test.java:141:15:141:36 | aaPasswordaaQuestionaa |
31+
sensitiveVariable
32+
| Test.java:48:9:48:33 | String aaPasswordaa |
33+
| Test.java:49:9:49:31 | String aaPasswdaa |
34+
| Test.java:53:9:53:39 | String aaRefreshaaTokenaa |
35+
| Test.java:54:9:54:38 | String aaSecretaaTokenaa |
36+
| Test.java:72:9:72:39 | String aaHashedPasswordaa |
37+
| Test.java:73:9:73:37 | String aaHashedPasswdaa |
38+
| Test.java:77:9:77:45 | String aaHashedRefreshaaTokenaa |
39+
| Test.java:78:9:78:44 | String aaHashedsecretaatokenaa |
40+
| Test.java:79:9:79:38 | String aaCryptPasswordaa |
41+
| Test.java:80:9:80:36 | String aaCryptPasswdaa |
42+
| Test.java:84:9:84:44 | String aaCryptRefreshaaTokenaa |
43+
| Test.java:85:9:85:43 | String aaCryptSecretaaTokenaa |
44+
| Test.java:117:9:117:34 | String aaChallengeaa |
45+
| Test.java:118:9:118:31 | String aaPasswdaa |
46+
| Test.java:119:9:119:33 | String aaPasswordaa |
47+
| Test.java:120:9:120:33 | String aaPasscodeaa |
48+
| Test.java:121:9:121:35 | String aaPassphraseaa |
49+
| Test.java:122:9:122:30 | String aaTokenaa |
50+
| Test.java:123:9:123:31 | String aaSecretaa |
51+
sensitiveDataMethod
52+
| Test.java:3:18:3:29 | aaPasswordaa |
53+
| Test.java:5:18:5:27 | aaPasswdaa |
54+
| Test.java:7:18:7:28 | aaAccountaa |
55+
| Test.java:9:18:9:26 | aaAccntaa |
56+
| Test.java:11:18:11:28 | aaTrustedaa |
57+
| Test.java:13:18:13:35 | aaRefreshaaTokenaa |
58+
| Test.java:17:18:17:35 | aaHashedPasswordaa |
59+
| Test.java:19:18:19:33 | aaHashedPasswdaa |
60+
| Test.java:21:18:21:34 | aaHashedAccountaa |
61+
| Test.java:23:18:23:32 | aaHashedAccntaa |
62+
| Test.java:25:18:25:34 | aaHashedTrustedaa |
63+
| Test.java:27:18:27:41 | aaHashedRefreshaaTokenaa |
64+
| Test.java:31:18:31:34 | aaCryptPasswordaa |
65+
| Test.java:33:18:33:32 | aaCryptPasswdaa |
66+
| Test.java:35:18:35:33 | aaCryptAccountaa |
67+
| Test.java:37:18:37:31 | aaCryptAccntaa |
68+
| Test.java:39:18:39:33 | aaCryptTrustedaa |
69+
| Test.java:41:18:41:40 | aaCryptRefreshaaTokenaa |
70+
| file:///modules/java.base/java/lang/invoke/MemberName.class:0:0:0:0 | isTrustedFinalField |
71+
| file:///modules/java.base/java/lang/reflect/Field.class:0:0:0:0 | isTrustedFinal |
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
import java
2+
import semmle.code.java.security.SensitiveActions
3+
4+
query predicate sensitiveMethodAccess(SensitiveMethodAccess ma) { any() }
5+
6+
query predicate sensitiveVarAccess(SensitiveVarAccess va) { any() }
7+
8+
query predicate sensitiveVariable(Variable v) {
9+
v.getName().regexpMatch(getCommonSensitiveInfoRegex())
10+
}
11+
12+
query predicate sensitiveDataMethod(SensitiveDataMethod m) { any() }

0 commit comments

Comments
 (0)