rename change notes

Author: mbaluda

java/ql/lib/ext/com.couchbase.client.core.env.model.yml

@@ -3,10 +3,26 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[0]", "credentials-key", "manual"]
+      # 'credentials-password' sinks
       - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[1]", "credentials-password", "manual"]
-      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional<String>)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional)", "", "Argument[1]", "credentials-password", "manual"]
       - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(KeyStore,String)", "", "Argument[1]", "credentials-password", "manual"]
-      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
-      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier<String>)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "create", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "ldapCompatible", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(Supplier)", "", "Argument[0]", "credentials-password", "manual"]
       - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(Supplier)", "", "Argument[0]", "credentials-password", "manual"]
+      # 'credentials-username' sinks
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "create", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "ldapCompatible", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(Supplier)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier)", "", "Argument[0]", "credentials-username", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.couchbase.client.core.env", "UsernameAndPassword", true, "UsernameAndPassword", "(String,String)", "", "Argument[0..1]", "Argument[this]", "taint", "manual"]

java/ql/lib/ext/com.couchbase.client.java.model.yml

@@ -3,42 +3,26 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
-      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      # 'credentials-username' sinks
       - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[1]", "credentials-username", "manual"]
+      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      # 'credentials-password' sinks
       - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[2]", "credentials-password", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      # 'sql-injection' sinks
       - ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String)", "", "Argument[0]", "sql-injection", "manual"]
       - ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String,AnalyticsOptions)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer<QueryRow>)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer<QueryRow>)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
       - ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery)", "", "Argument[1]", "sql-injection", "manual"]
       - ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery,SearchOptions)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Collection", true, "upsert", "(String,Object)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Collection", true, "upsert", "(String,Object,UpsertOptions)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Collection", true, "replace", "(String,Object)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Collection", true, "replace", "(String,Object,ReplaceOptions)", "", "Argument[1]", "sql-injection", "manual"]
 
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
     data:
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,long)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,number)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,double)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "", "", "Argument[0]", "ReturnValue.MapKey", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "", "", "Argument[1]", "ReturnValue.MapValue", "taint", "manual"]
       - ["com.couchbase.client.java.json", "JsonObject", true, "putNull", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java

@@ -1,35 +1,53 @@
 import static com.couchbase.client.java.ClusterOptions.clusterOptions;
 
-import com.couchbase.client.core.env.Authenticator;
 import com.couchbase.client.core.env.CertificateAuthenticator;
 import com.couchbase.client.core.env.PasswordAuthenticator;
+import com.couchbase.client.core.env.UsernameAndPassword;
 import com.couchbase.client.java.Cluster;
+import java.util.function.Supplier;
 
 public class HardcodedCouchBaseCredentials {
   public static void test() {
-    Cluster cluster1 =
-        Cluster.connect(
-            "127.0.0.1",
-            "Administrator", // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-            "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-    Cluster cluster2 =
-        Cluster.connect(
-            "127.0.0.1",
-            clusterOptions(
-                "Administrator", // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-                "password")); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-    PasswordAuthenticator authenticator1 =
-        PasswordAuthenticator.builder()
-            .username(
-                "Administrator") // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-            .password("password") // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
-            .onlyEnablePlainSaslMechanism()
-            .build();
+    // com.couchbase.client.core.env.CertificateAuthenticator sinks
+    CertificateAuthenticator.fromKey(null, "keyPassword", null); // $ HardcodedCredentialsApiCall
+    CertificateAuthenticator.fromKeyStore(
+        null, "keyStorePassword", null); // $ HardcodedCredentialsApiCall
+    CertificateAuthenticator.fromKeyStore(
+        null, "keyStorePassword"); // $ HardcodedCredentialsApiCall
 
-    Authenticator authenticator2 =
-        CertificateAuthenticator.fromKeyStore(
-            null,
-            "keyStorePassword"); // $ HardcodedCredentialsApiCall
-    Cluster cluster = Cluster.connect("127.0.0.1", clusterOptions(authenticator2));
+    // com.couchbase.client.core.env.PasswordAuthenticator sinks
+    PasswordAuthenticator.create(
+        "Administrator", // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        "password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+    PasswordAuthenticator.ldapCompatible(
+        "Administrator", // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        "password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+
+    // com.couchbase.client.core.env.PasswordAuthenticator$Builder sinks
+    PasswordAuthenticator.builder(
+        "Administrator", // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        "password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+    PasswordAuthenticator.builder()
+        .username("Administrator") // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        .password("password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+    PasswordAuthenticator.builder((Supplier<UsernameAndPassword>) new UsernameAndPassword(
+                "Administrator", // $ HardcodedCredentialsSourceCall$ MISSING: HardcodedCredentialsApiCall 
+                "password")); // $ HardcodedCredentialsSourceCall$ MISSING: HardcodedCredentialsApiCall 
+    PasswordAuthenticator.builder()
+        .username((Supplier<String>) () -> {return "Administrator";}) // $ MISSING: HardcodedCredentialsApiCall
+        .password((Supplier<String>) () -> {return "password";}); // $ MISSING: HardcodedCredentialsApiCall
+
+    // com.couchbase.client.java.Cluster sinks
+    Cluster.connect(
+        "127.0.0.1",
+        "Administrator", // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+        "password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
+
+    // com.couchbase.client.java.ClusterOptions sinks
+    Cluster.connect(
+        "127.0.0.1",
+        clusterOptions(
+            "Administrator", // $ HardcodedCredentialsApiCall
+            "password")); // $ HardcodedCredentialsApiCall
   }
-}
+}