8000 This PR adds models Java client APIs for CouchBase and adds tests for 2 queries by mbaluda · Pull Request #21082 · github/codeql · GitHub
[go: up one dir, main page]
Skip to content

This PR adds models Java client APIs for CouchBase and adds tests for 2 queries #21082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mbaluda wants to merge 4 commits into
base: main
Choose a base branch
from
Open

This PR adds models Java client APIs for CouchBase and adds tests for 2 queries #21082

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b22077c
Hardcoded credentials in CouchBase
mbaluda Dec 22, 2025
fd78c94
Merge branch 'github:main' into couchdb
mbaluda Dec 22, 2025
15ee88e
SQLi test case
mbaluda Dec 24, 2025
cb34160
Add change notes for Couchbase sinks
mbaluda Dec 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions java/ql/lib/ext/com.couchbase.client.core.env.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[0]", "credentials-key", "manual"]
- ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional<String>)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(KeyStore,String)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier<String>)", "", "Argument[0]", "credentials-username", "manual"]
Copy link
Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sink model marks "Argument[0]" of PasswordAuthenticator.Builder.username with Supplier<String> parameter as "credentials-username". However, a Supplier<String> is typically used for lazy evaluation or dynamic credential retrieval (e.g., from a secure vault), not for hardcoded credentials. Marking this as a hardcoded credentials sink may create false positives when secure credential management patterns are used.

Copilot uses AI. Check for mistakes.
- ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]
44 changes: 44 additions & 0 deletions java/ql/lib/ext/com.couchbase.client.java.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
- ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[1]", "credentials-username", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[2]", "credentials-password", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String,AnalyticsOptions)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer<QueryRow>)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer<QueryRow>)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery)", "", "Argument[1]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery,SearchOptions)", "", "Argument[1]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Collection", true, "upsert", "(String,Object)", "", "A 8000 rgument[1]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Collection", true, "upsert", "(String,Object,UpsertOptions)", "", "Argument[1]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Collection", true, "replace", "(String,Object)", "", "Argument[1]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Collection", true, "replace", "(String,Object,ReplaceOptions)", "", "Argument[1]", "sql-injection", "manual"]

- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,long)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,number)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,double)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map<String, ?>)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map<String, ?>)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List<?>)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List<?>)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "putNull", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
Copy link
Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The summary model for JsonObject.putNull propagates taint from "Argument[0]" (the String key parameter) to the ReturnValue. However, since putNull only sets a null value for the given key, the key parameter should not be considered a source of taint for the resulting object. This model may create false positives by treating field names as tainted data.

Suggested change
- ["com.couchbase.client.java.json", "JsonObject", true, "putNull", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

Copilot uses AI. Check for mistakes.
Comment on lines +27 to +44
Copy link
Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The summary model for JsonObject.put includes "Argument[0]" (the String key parameter) tainting the ReturnValue. However, since the key is typically not considered user-controlled data that should propagate as a security concern, this creates unnecessary taint flow. Only "Argument[1]" (the value parameter) should taint the ReturnValue, as that's where actual data flows through the object.

Suggested change
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,long)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,number)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,double)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map<String, ?>)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map<String, ?>)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List<?>)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List<?>)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "putNull", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,int)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,long)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,number)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,double)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,boolean)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map<String, ?>)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List<?>)", "", "Argument[1]", "ReturnValue", "taint", "manual"]

Copilot uses AI. Check for mistakes.
4 changes: 4 additions & 0 deletions java/ql/src/change-notes/2025-12-24-couchbase-sinks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Cretentials queries.
18 changes: 18 additions & 0 deletions java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package com.example;

import com.couchbase.client.java.Bucket;
import com.couchbase.client.java.Cluster;
import com.couchbase.client.java.Collection;
import com.couchbase.client.java.json.JsonObject;

public class CouchBase {
public static void main(String[] args) {
Cluster cluster = Cluster.connect("192.168.0.158", "Administrator", "Administrator");
Bucket bucket = cluster.bucket("travel-sample");
cluster.query(args[1]);

Collection collection = bucket.defaultCollection();
collection.replace("airbnb_1", JsonObject.create().putNull(System.getenv("ITEM_CATEGORY")));
collection.upsert("airbnb_1", JsonObject.create().put("country", args[1]));
}
}
Loading
0