From 2d458f79b0c9663f4d50d5bbfa7bb480d5d89a27 Mon Sep 17 00:00:00 2001 From: Ed Minnix Date: Tue, 22 Aug 2023 11:31:14 -0400 Subject: [PATCH] Add a superclass for credential nodes --- .../java/security/HardcodedCredentials.qll | 7 +----- .../code/java/security/SensitiveApi.qll | 24 +++++++++---------- 2 files changed, 12 insertions(+), 19 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll b/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll index f4ae5f98f0abb..d3cfc4e33ef1d 100644 --- a/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll +++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll @@ -58,12 +58,7 @@ abstract class CredentialsSink extends Expr { * credentials. */ class CredentialsApiSink extends CredentialsSink { - CredentialsApiSink() { - this = any(PasswordParameter p).asExpr() or - this = any(UsernameParameter p).asExpr() or - this = any(CryptoKeyParameter p).asExpr() or - this = any(CredentialParameter p).asExpr() - } + CredentialsApiSink() { this = any(CredentialSinkNode csn).asExpr() } } /** diff --git a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll index 1b8555f399c00..d3b407b51116d 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll @@ -7,31 +7,29 @@ private import semmle.code.java.dataflow.DataFlow private import semmle.code.java.dataflow.ExternalFlow /** - * A node representing a password being passed to a method. + * A node which represents the use of a credential. */ -class PasswordParameter extends DataFlow::Node { - PasswordParameter() { sinkNode(this, "credential-password") } -} +abstract class CredentialSinkNode extends DataFlow::Node { } /** - * A node representing a username being passed to a method. + * A node representing a password being passed to a method. */ -class UsernameParameter extends DataFlow::Node { - UsernameParameter() { sinkNode(this, "credential-username") } +class PasswordSink extends CredentialSinkNode { + PasswordSink() { sinkNode(this, "credential-password") } } /** - * A node representing a cryptographic key being passed to a method. + * A node representing a username being passed to a method. */ -class CryptoKeyParameter extends DataFlow::Node { - CryptoKeyParameter() { sinkNode(this, "crypto-parameter") } +class UsernameSink extends CredentialSinkNode { + UsernameSink() { sinkNode(this, "credential-username") } } /** - * A node representing a credential being passed to a method. + * A node representing a cryptographic key being passed to a method. */ -class CredentialParameter extends DataFlow::Node { - CredentialParameter() { sinkNode(this, "credential-other") } +class CryptoKeySink extends CredentialSinkNode { + CryptoKeySink() { sinkNode(this, "crypto-parameter") } } /**