All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.h3xstream.findsecbugs.password.IntuitiveHardcodePasswordDetector Maven / Gradle / Ivy

/**
 * Find Security Bugs
 * Copyright (c) Philippe Arteau, All rights reserved.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 3.0 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library.
 */
package com.h3xstream.findsecbugs.password;

import com.h3xstream.findsecbugs.common.TaintUtil;
import com.h3xstream.findsecbugs.injection.BasicInjectionDetector;
import com.h3xstream.findsecbugs.injection.InjectionPoint;
import com.h3xstream.findsecbugs.taintanalysis.Taint;
import com.h3xstream.findsecbugs.taintanalysis.TaintFrame;
import edu.umd.cs.findbugs.BugReporter;
import edu.umd.cs.findbugs.Priorities;
import edu.umd.cs.findbugs.ba.DataflowAnalysisException;
import org.apache.bcel.generic.ConstantPoolGen;
import org.apache.bcel.generic.InstructionHandle;
import org.apache.bcel.generic.InvokeInstruction;

import java.util.ArrayList;
import java.util.List;

/**
 * 

This detector will find what look like password hardcode on unknown API. * Such as: * MyCustomClient.setPassword("abc123!");

* *

It will also find API written in other language. * MonClient.defMotDePasse("abc123!");

* *

It will match method that contains other keywords prefixing or suffixing. * MyClient.setConnectionPwd("abc123!");

*/ public class IntuitiveHardcodePasswordDetector extends BasicInjectionDetector { private static final String HARD_CODE_PASSWORD_TYPE = "HARD_CODE_PASSWORD"; public static List PASSWORD_WORDS = new ArrayList(); static { //Passwords in various language //http://www.indifferentlanguages.com/words/password PASSWORD_WORDS.add("password"); PASSWORD_WORDS.add("motdepasse"); PASSWORD_WORDS.add("heslo"); PASSWORD_WORDS.add("adgangskode"); PASSWORD_WORDS.add("wachtwoord"); PASSWORD_WORDS.add("salasana"); PASSWORD_WORDS.add("passwort"); PASSWORD_WORDS.add("passord"); PASSWORD_WORDS.add("senha"); PASSWORD_WORDS.add("geslo"); PASSWORD_WORDS.add("clave"); PASSWORD_WORDS.add("losenord"); PASSWORD_WORDS.add("clave"); PASSWORD_WORDS.add("parola"); //Others PASSWORD_WORDS.add("secretkey"); PASSWORD_WORDS.add("pwd"); } public IntuitiveHardcodePasswordDetector(BugReporter bugReporter) { super(bugReporter); } @Override protected int getPriorityFromTaintFrame(TaintFrame fact, int offset) throws DataflowAnalysisException { Taint stringValue = fact.getStackValue(offset); if (TaintUtil.isConstantValue(stringValue)) { //Is a constant value return Priorities.NORMAL_PRIORITY; } else { return Priorities.IGNORE_PRIORITY; } } @Override protected InjectionPoint getInjectionPoint(InvokeInstruction invoke, ConstantPoolGen cpg, InstructionHandle handle) { assert invoke != null && cpg != null; String method = invoke.getMethodName(cpg); String sig = invoke.getSignature(cpg); if(sig.startsWith("(Ljava/lang/String;)")) { if(method.startsWith("set")) { // Targeting : x.setPassword("abc123") String methodLowerCase = method.toLowerCase(); for (String password : PASSWORD_WORDS) { if (methodLowerCase.contains(password)) { return new InjectionPoint(new int[]{0}, HARD_CODE_PASSWORD_TYPE); } } } else if(PASSWORD_WORDS.contains(method.toLowerCase())) { // Targeting : DSL().user("").password(String x) return new InjectionPoint(new int[]{0}, HARD_CODE_PASSWORD_TYPE); } } return InjectionPoint.NONE; } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy