[Java] CWE-798: Query to detect hard-coded Azure credentials

[luchua-bc]

Query

Link to pull request with your CodeQL query:

Relevant PR: https://github.com/github/codeql/pull/5852

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

Microsoft Azure is one of the most popular cloud computing solutions for building, testing, deploying, and managing applications and services in the cloud.

Azure offers a well-maintained Java SDK for provisioning, managing, and using Azure resources from Java application code. The Azure SDK for Java is composed of many individual Java libraries that relate to specific Azure services.

The query detects calling Azure SDK with a hard-coded user name and password or client secret.

• [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

• kartikchhapia/msftChangeNotifications
• jpnaidu07/azure-key-vault-examle

[ghsecuritylab]

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[pwntester]

Hey @luchua-bc

Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined this query is not eligible for a reward under the Bug Bounty program for the following reasons:

• It doesn't meet the minimum complexity requirements:

  To be eligible for a bounty, queries must be non-trivial, and meet a minimum complexity requirement. More concretely, queries that simply look for one or two AST elements, or that could be easily implemented with a linter or simple grep, may not be considered interesting enough for a bounty. Queries must also be sufficiently general to cover a class of vulnerabilities and may not be tailored to a specific CVE.

Looking forward to your future submissions! Best regards and happy hacking!

[luchua-bc]

Hi @pwntester,

Thanks for reviewing this PR. Sorry I don't get why the query doesn't meet the minimum complexity requirements so I would like more explanation.

Although its main part is three lines' addition to the library SensitiveApi.qll, it does take advantage of the shared dataflow configuration HardcodedCredentialApiCallConfiguration in HardcodedCredentialsApiCall.ql, which look for more than two AST elements and cannot be implemented with a linter or simple grep. For example, with its isBarrier predicate, credentials loaded as environment variables are not treated as hard-coded credentials to avoid false positives. I didn't re-invent the wheel to re-create the complex query because we already have the flow configuration in the CodeQL repository.

If this submission is invalid, does it mean other sensitive APIs in SensitiveApi.qll don't meet the minimum complexity requirements either? The query HardcodedCredentialsApiCall.ql and its dependent queries were contributed by quite a few researchers including @aschackmull, @p0, and @Marcono1234, and are pretty comprehensive. Also the other query Java: CWE-798 - Hardcoded AWS credentials written by me, which has a similar structure but handles hard-coded AWS credentials, was triaged as a valid submission just nine months ago.

I submitted this query because I think it fits in the category of "improve an existing query and extend its coverage to detect additional vulnerabilities" in the Github policy for detecting additional vulnerabilities of hard-coded credentials with Azure SDK.

Please correct me if my understanding is wrong. Thanks.

[pwntester]

Hi @luchua-bc,

Even if query improvements are indeed part of the program, they are also subject to the same rules as any original submission, including the minimum complexity rule detailed in the Out Of Scope section in https://hackerone.com/github-security-lab?type=team. We will clarify that in the FAQ of the bounty program.

As per the mentioned contributions, all of them were contributed outside of the bounty program, which is consistent with our decision.

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following: CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[luchua-bc]

Hi @pwntester,

The contribution I mentioned above, which is Java: CWE-798 - Hardcoded AWS credentials for hard-coded AWS credentials, was contributed within the bounty program. I'm not aware of scope change in the last 9 months so it's confusing.

[pwntester]

This issue was triaged and discussed by our triage team and it was decided that the evaluation and scoring at that time were erroneous. We are sorry for the confusion and inconveniences it may have caused you.