Skip to content

Add Java security queries: cleartext LDAP, insecure JDBC cert, credentials in URL, IDOR#151

Merged
felickz merged 6 commits into
mainfrom
felickz/java-security-queries
Jul 6, 2026
Merged

Add Java security queries: cleartext LDAP, insecure JDBC cert, credentials in URL, IDOR#151
felickz merged 6 commits into
mainfrom
felickz/java-security-queries

Conversation

@felickz

@felickz felickz commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

What

Adds five Java security queries, each with a Markdown help doc, under java/src/security. They cover transport-security and broken-access-control patterns that the default CodeQL Java suite and the existing community queries do not flag.

CWE Query Kind What it finds
319 CleartextLdapUrl.ql problem An ldap:// URL configured on an LDAP context source (setUrl/setProviderUrl), transmitting bind credentials in cleartext
295 InsecureJdbcCertificateValidation.ql problem A JDBC URL containing trustServerCertificate=true, which accepts any server certificate (MITM)
598 CredentialsInOutboundUrl.ql path-problem A credential getter (getPassword/getSecret/...) whose value flows into the URL of an outbound HTTP client call
639 UserControlledRecordRetrieval.ql path-problem Read/disclosure IDOR: a @PathVariable id flowing into a repository finder (findById/...) with no per-record authorization check
639 InsecureDirectObjectReference.ql problem Modify IDOR: a state-changing Spring action keyed on a user-supplied id with no user/session check and no method-security annotation. Java analogue of cs/web/insecure-direct-object-reference

Why

These were found while reproducing a set of true positives that SAST missed on a sample Spring application. The two CWE-639 queries deliberately split IDOR into its two sub-classes:

  • UserControlledRecordRetrieval (dataflow) covers the read/disclosure case.
  • InsecureDirectObjectReference ports the C# InsecureDirectObjectReferenceQuery design (absence-of-authorization-check on a mutating action) to Spring MVC.

Validation

  • All five compile clean with codeql query compile --warnings=error against codeql/java-all (CLI 2.25.6).
  • Autoformatted with codeql query format.
  • True positives confirmed on a sample Spring app (CLI 2.25.6 database):
    • CleartextLdapUrl -> ctx.setUrl("ldap://...")
    • InsecureJdbcCertificateValidation -> DriverManager.getConnection with trustServerCertificate=true
    • CredentialsInOutboundUrl -> props.getPassword() into restTemplate.getForObject(url)
    • UserControlledRecordRetrieval -> @PathVariable id into repository.findById(id)
  • InsecureDirectObjectReference returns no result on that sample because its only id-bearing endpoint is a GET read; it is a faithful port of the first-party C# query, which targets state-changing actions. It fires on mutating endpoints (POST/PUT/DELETE/PATCH or edit/delete/modify/update/save/remove) that lack an authorization check.

Notes

  • Queries are auto-included by the existing java.qls path glob (kinds problem/path-problem, precision medium and low); no suite changes needed.
  • No use of getAQlClass or toString regex; regexpMatch is applied only to string values (names, URL literals).

Adds five Java queries (each with a Markdown help doc):

- CWE-319 CleartextLdapUrl: ldap:// URL on an LDAP context source
- CWE-295 InsecureJdbcCertificateValidation: JDBC trustServerCertificate=true
- CWE-598 CredentialsInOutboundUrl: credential getter reaching an outbound request URL
- CWE-639 UserControlledRecordRetrieval: read/disclosure IDOR (path id to repository finder)
- CWE-639 InsecureDirectObjectReference: modify IDOR, Java analogue of cs/web/insecure-direct-object-reference

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 23, 2026 17:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds new Java security queries (and corresponding Markdown help) under java/src/security to detect additional transport-security and broken-access-control patterns not covered by default suites/community queries.

Changes:

  • Introduces two CWE-639 IDOR-related queries (read/dataflow and write/heuristic) with docs.
  • Adds new transport/security misconfiguration queries for cleartext LDAP and insecure JDBC TLS validation, with docs.
  • Adds a dataflow query for credentials flowing into outbound HTTP request URLs, with docs.
Show a summary per file
File Description
java/src/security/CWE-639/UserControlledRecordRetrieval.ql New path-problem query for @PathVariable id flowing into repository findById-style calls.
java/src/security/CWE-639/UserControlledRecordRetrieval.md Help doc for the record-retrieval IDOR (read/disclosure) query.
java/src/security/CWE-639/InsecureDirectObjectReference.ql New problem query for mutating Spring controller actions keyed by id lacking authorization checks/annotations.
java/src/security/CWE-639/InsecureDirectObjectReference.md Help doc for the mutating IDOR query.
java/src/security/CWE-598/CredentialsInOutboundUrl.ql New path-problem query for credential getters flowing into outbound HTTP URL arguments.
java/src/security/CWE-598/CredentialsInOutboundUrl.md Help doc for outbound-URL credential exposure.
java/src/security/CWE-319/CleartextLdapUrl.ql New problem query for constant ldap:// URLs passed into LDAP context configuration calls.
java/src/security/CWE-319/CleartextLdapUrl.md Help doc for cleartext LDAP URL configuration.
java/src/security/CWE-295/InsecureJdbcCertificateValidation.ql New problem query for JDBC URLs containing trustServerCertificate=true.
java/src/security/CWE-295/InsecureJdbcCertificateValidation.md Help doc for insecure JDBC TLS certificate validation configuration.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 10/10 changed files
  • Comments generated: 4

Comment thread java/src/security/CWE-319/CleartextLdapUrl.ql
Comment thread java/src/security/CWE-319/CleartextLdapUrl.ql Outdated
Comment thread java/src/security/CWE-639/InsecureDirectObjectReference.ql Outdated
Comment thread java/src/security/CWE-639/InsecureDirectObjectReference.ql Outdated
@felickz

felickz commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

@copilot why is this not compiling, it works with latest CodeQL version on my local machine

https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/actions/runs/28042925672/job/83013579419

- Replace getAValue() with getValue() in InsecureDirectObjectReference.ql
  to compile against codeql/java-all@7.1.3 (CI uses CLI 2.21.1)
- Fix getAStringArrayValue -> getAStringValue for PathVariable/RequestParam
  annotations (value/name are single String attrs, not arrays)
- Remove setUrls from LdapUrlSink (takes String[], not a single constant)
- Remove LDAP URL literal from alert message to avoid exposing credentials
- Improve InsecureDirectObjectReference alert message clarity

Copilot AI commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@copilot why is this not compiling, it works with latest CodeQL version on my local machine

https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/actions/runs/28042925672/job/83013579419

The CI was failing because getAValue() on SpringRequestMappingMethod was introduced in codeql/java-all@7.3.0 (CLI 2.21.4), but the project pins to CLI 2.21.1 which bundles codeql/java-all@7.1.3. In that version, the method is still called getValue().

Fixed in commit that replaces this.getAValue() with this.getValue() in InsecureDirectObjectReference.ql. Also addressed the other review issues while touching these files: switched getAStringArrayValue to getAStringValue for @PathVariable/@RequestParam annotation lookups (those attributes are single strings, not arrays), removed setUrls from the LDAP sink (it takes a String[] so the single-constant check never matched), and dropped the LDAP URL literal from the alert message to avoid surfacing embedded credentials in results.

@Kwstubbs Kwstubbs self-requested a review June 29, 2026 16:48
@Kwstubbs Kwstubbs self-assigned this Jun 30, 2026
Comment thread java/src/security/CWE-598/CredentialsInOutboundUrl.ql
Comment thread java/src/security/CWE-639/InsecureDirectObjectReference.ql Outdated
@Kwstubbs

Kwstubbs commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

@felickz Did a quick review. Let me know what you think.

@felickz felickz mentioned this pull request Jul 1, 2026
felickz and others added 4 commits July 6, 2026 09:56
Co-authored-by: Kevin Stubbings <kwstubbs@github.com>
… String URL arg

Hoist the method-name filter so it constrains both the RestOperations and
RestTemplate branches (the original only applied it to RestTemplate, so the
RestOperations branch matched arg0 of any method whose declaring type descends
from RestOperations, including setters/getters and URI/RequestEntity overloads).
Add postForLocation and patchForObject, and require the URL arg to be a String.

Co-authored-by: Kwstubbs
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ngRequestMappingMethod)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The route accessor on SpringRequestMappingMethod is getValue() in the pinned
java-all 7.1.3 (see .codeqlversion 2.21.1 and existing query
CWE-094/SpringImplicitViewManipulation.ql). It was renamed to getAValue() in
newer library versions, so compiling against the bundled 9.x fails, but the
repo's CI resolves the pinned 7.1.3.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@felickz felickz left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:octocat: 👍

@felickz felickz merged commit 0fc6e8f into main Jul 6, 2026
21 checks passed
@felickz felickz deleted the felickz/java-security-queries branch July 6, 2026 17:37
felickz added a commit that referenced this pull request Jul 6, 2026
* docs: document CodeQL version pinning and pack compatibility

- Add a consumer-facing compatibility note in README linking to GitHub's
  official CodeQL pack compatibility docs, reassuring users that older
  published packs generally keep working with newer CLIs (with caveats).
- Add a maintainer-facing 'Supported CodeQL versions' section in
  CONTRIBUTING.md documenting the two-file pinning mechanism
  (.codeqlversion for the CLI, <lang>/src/codeql-pack.lock.yml for the
  locked library version) with a table of current locked versions per
  language, including the upstream *-queries dependency used by C/C++
  and C# only.
- Link out to the community CodeQL Bundle Version Tracker for the
  broader CLI-to-library version mapping.

Motivated by GHSL PR #151 (java-all API rename between 7.1.3 and 9.1.2
causing local/CI compile mismatches) and issue #145 (stale packs).

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* docs: split CodeQL CLI references into Bundle and Binary links

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants