I note from the code scanning warnings (which come from the C# analysis) that this is a near-copy of https://github.com/github/codeql/blob/main/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql -- @github/codeql-csharp, what do you make of the differences (stronger isNotPassword predicate vs. the C# version's third disjunct a.getValue().regexpMatch("(?is).*(pwd|password)\\s*=(?!\\s*;).*") whose meaning is hazy to me but I think it accepts strings like "password=dfsdfdsf", plus whatever (?!\\s*;) is doing)

@github/codeql-csharp, what do you make of the differences (stronger isNotPassword predicate vs. the C# version's third disjunct a.getValue().regexpMatch("(?is).*(pwd|password)\\s*=(?!\\s*;).*") whose meaning is hazy to me but I think it accepts strings like "password=dfsdfdsf", plus whatever (?!\\s*;) is doing)

Looks like this query also has that disjunct: https://github.com/github/codeql/pull/4814/files#diff-a072f910060223db1a33816cd6374601e46f0bb2759b46e60edd0e83e3c90636R36. Not sure why isNotPassword is not applied to all disjuncts.

Doh yeah. @luchua-bc can we usefully use isNotPassword for the cases not currently covered?

Thanks @hvitved for reviewing this PR.

I copied the third disjunct from the C# query. Typically .NET applications have a database configuration like the following:

  <connectionStrings>
    <add name="sqlServerConnection" connectionString="Data Source=servername;Database=dbname;User ID=username;Password=dfsdfdsf;Connection Timeout=30;" providerName="System.Data.SqlClient" />
  </connectionStrings>

This is the reason for this disjunct.

While Java EE applications have a more structured configuration like:

<Resource name="jdbc/exampleDS" auth="Container" type="javax.sql.DataSource"
               maxTotal="100" maxIdle="30" maxWaitMillis="10000"
               username="root" password="1234"
               driverClassName="com.mysql.jdbc.Driver"
               url="jdbc:mysql://www.example.com:3306/proj" />

I did a quick search on Java GitHub repositories and cannot find any repository with the .NET style configuration of connection strings.

Will it be a good idea to simply delete this disjunct since it won't be useful to most Java projects? Or I can apply the same isNotPassword predicate to the pattern connection="...Password=dfsdfdsf..." for completeness purpose.

Please advise.

Thanks,
@luchua-bc

I've modified the query to apply the same check (blank, placeholder and encrypted) to embedded passwords. As method parameters cannot be string, I developed a new method with the parameter XMLAttribute.

Please let me know if this is not what we want.

They can be string -- do you say that because you got a message relating to binding? If so you might need to write something like the following example, which uses bindingset to indicate that the set of matches is bounded if the parameter name is itself bounded. This is necessary only when the body of the predicate doesn't make it obviously finite -- for example, name = ["hello", "world"] does not need this annotation.

/**
   * Holds if the name of this algorithm matches `name` modulo case,
   * white space, dashes and underscores.
   */
  bindingset[name]
  predicate matchesName(string name) {
    exists(name.regexpReplaceAll("[-_]", "").regexpFind("(?i)\\Q" + getName() + "\\E", _, _))
  }

See also https://codeql.github.com/docs/ql-language-reference/predicates/#binding-sets

Great. Thanks a lot @smowton. I've revamped the functions to take a string parameter, which helps to remove the duplicate code and make the query more clear.