hiifong/pmd
1
0
Fork 0
forked from phoedos/pmd
Code Pull Requests Activity

[java] HardcodedCryptoKey false negative with variable assignments #3368

Browse Source
This commit is contained in:
Andreas Dangel
2021-10-07 19:09:06 +02:00
parent c9077e19ea
commit 701938de1c
3 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/pages/release_notes.md
View File

@@ -16,6 +16,9 @@ This is a {{ site.pmd.release_type }} release.
### Fixed Issues
* java-security
* [#3368](https://github.com/pmd/pmd/issues/3368): \[java] HardcodedCryptoKey false negative with variable assignments
### API Changes
### External Contributions

19
pmd-java/src/main/java/net/sourceforge/pmd/lang/java/rule/security/HardCodedCryptoKeyRule.java
View File

@@ -4,19 +4,24 @@
package net.sourceforge.pmd.lang.java.rule.security;
import java.util.List;
import net.sourceforge.pmd.lang.ast.Node;
import net.sourceforge.pmd.lang.java.ast.ASTAllocationExpression;
import net.sourceforge.pmd.lang.java.ast.ASTArgumentList;
import net.sourceforge.pmd.lang.java.ast.ASTArguments;
import net.sourceforge.pmd.lang.java.ast.ASTArrayInitializer;
import net.sourceforge.pmd.lang.java.ast.ASTAssignmentOperator;
import net.sourceforge.pmd.lang.java.ast.ASTClassOrInterfaceType;
import net.sourceforge.pmd.lang.java.ast.ASTLiteral;
import net.sourceforge.pmd.lang.java.ast.ASTName;
import net.sourceforge.pmd.lang.java.ast.ASTPrimaryPrefix;
import net.sourceforge.pmd.lang.java.ast.ASTStatementExpression;
import net.sourceforge.pmd.lang.java.ast.ASTVariableInitializer;
import net.sourceforge.pmd.lang.java.rule.AbstractJavaRule;
import net.sourceforge.pmd.lang.java.symboltable.VariableNameDeclaration;
import net.sourceforge.pmd.lang.java.types.TypeTestUtil;
import net.sourceforge.pmd.lang.symboltable.NameOccurrence;
/**
* Finds hard coded encryption keys that are passed to
@@ -75,6 +80,14 @@ public class HardCodedCryptoKeyRule extends AbstractJavaRule {
if (initializer != null) {
validateProperKeyArgument(data, initializer.getFirstDescendantOfType(ASTPrimaryPrefix.class));
}
List<NameOccurrence> usages = varDecl.getNode().getScope().getDeclarations().get(varDecl);
for (NameOccurrence occurrence : usages) {
ASTStatementExpression parentExpr = occurrence.getLocation().getFirstParentOfType(ASTStatementExpression.class);
if (isAssignment(parentExpr)) {
validateProperKeyArgument(data, parentExpr.getChild(2).getFirstDescendantOfType(ASTPrimaryPrefix.class));
}
}
}
}
@@ -90,4 +103,10 @@ public class HardCodedCryptoKeyRule extends AbstractJavaRule {
addViolation(data, literal);
}
}
private boolean isAssignment(ASTStatementExpression statement) {
return statement != null
&& statement.getNumChildren() >= 3
&& statement.getChild(1) instanceof ASTAssignmentOperator;
}
}

27
pmd-java/src/test/resources/net/sourceforge/pmd/lang/java/rule/security/xml/HardCodedCryptoKey.xml
View File

@@ -83,6 +83,33 @@ public class Foo {
data.getAccessKey(), data.getClientIp(), data.getTimeStamp(), data.getEnv());
SecretKeySpec secretKeySpec = new SecretKeySpec(computedSecretKey, data.getSecretKeyAlgorithm().getName());
}
}
]]></code>
</test-code>
<test-code>
<description>[java] HardcodedCryptoKey false negative with variable assignments #3368</description>
<expected-problems>3</expected-problems>
<expected-linenumbers>7,9,16</expected-linenumbers>
<code><![CDATA[
import javax.crypto.spec.SecretKeySpec;
public class Foo {
public void testHardCodedCryptoKey(boolean tag) {
String str;
if (tag) {
str = "Hardcoded Crypto Key1"; // should report a warning here
} else {
str = "Hardcoded Crypto Key2"; // should report a warning here
}
SecretKeySpec secretKeySpec = new SecretKeySpec(str.getBytes(), "AES");
}
void encrypt() {
final String var0;
var0 = "hard coded key here";
SecretKeySpec keySpec = new SecretKeySpec(var0.getBytes(), "AES");
}
}
]]></code>
</test-code>