Skip to content

This PR adds models Java client APIs for CouchBase and adds tests for 2 queries #21082

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mbaluda wants to merge 9 commits into
base: main
Choose a base branch
from
+739 −49
Open

This PR adds models Java client APIs for CouchBase and adds tests for 2 queries #21082

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b22077c
Hardcoded credentials in CouchBase
mbaluda Dec 22, 2025
fd78c94
Merge branch 'github:main' into couchdb
mbaluda Dec 22, 2025
15ee88e
SQLi test case
mbaluda Dec 24, 2025
cb34160
Add change notes for Couchbase sinks
mbaluda Dec 24, 2025
1e1fb43
Update JsonObject put method signatures in YAML
mbaluda Jan 2, 2026
4c8058d
Merge branch 'github:main' into couchdb
mbaluda Jan 9, 2026
0464e64
Merge branch 'github:main' into couchdb
mbaluda Jan 9, 2026
dda042f
rename change notes
mbaluda Dec 24, 2025
89f0e79
Fix `SqlTainted` test
mbaluda Jan 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions java/ql/lib/ext/com.couchbase.client.core.env.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
# 'credentials-password' sinks
- ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(KeyStore,String)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "create", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "ldapCompatible", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(Supplier)", "", "Argument[0]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(Supplier)", "", "Argument[0]", "credentials-password", "manual"]
# 'credentials-username' sinks
- ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "create", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "ldapCompatible", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(Supplier)", "", "Argument[0]", "credentials-username", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
- ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier)", "", "Argument[0]", "credentials-username", "manual"]

- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["com.couchbase.client.core.env", "UsernameAndPassword", true, "UsernameAndPassword", "(String,String)", "", "Argument[0..1]", "Argument[this]", "taint", "manual"]
28 changes: 28 additions & 0 deletions java/ql/lib/ext/com.couchbase.client.java.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
# 'credentials-username' sinks
- ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[1]", "credentials-username", "manual"]
- ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
# 'credentials-password' sinks
- ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[2]", "credentials-password", "manual"]
- ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
# 'sql-injection' sinks
- ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String,AnalyticsOptions)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery)", "", "Argument[1]", "sql-injection", "manual"]
- ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery,SearchOptions)", "", "Argument[1]", "sql-injection", "manual"]
Comment on lines +19 to +20
Copy link
Contributor

@owen-mc owen-mc Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While these models are correct, they currently don't have any effect, because we don't have any models for taint to flow into a SearchQuery. Ideally we would also model some methods for creating (subclasses of) SearchQuery. I won't block this PR on this, however.


- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "", "", "Argument[0]", "ReturnValue.MapKey", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "put", "", "", "Argument[1]", "ReturnValue.MapValue", "taint", "manual"]
- ["com.couchbase.client.java.json", "JsonObject", true, "putNull", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
4 changes: 4 additions & 0 deletions java/ql/src/change-notes/2025-12-24-couchbase-sinks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Cretentials queries.
18 changes: 18 additions & 0 deletions java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java
View file
Open in desktop
Copy link
Contributor

@owen-mc owen-mc Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would love it if these tests could exercise more (or most? or even all?) of the models you've added. That is the only way of checking that the models work - and in this case it would have caught the issues with angle brackets.

(I would also love it if the tests were converted to inline expectations. But there is no need for you to do that.)

Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
package com.example;

import com.couchbase.client.java.Bucket;
import com.couchbase.client.java.Cluster;
import com.couchbase.client.java.Collection;
import com.couchbase.client.java.json.JsonObject;

public class CouchBase {
public static void main(String[] args) {
Cluster cluster = Cluster.connect("192.168.0.158", "Administrator", "Administrator");
Bucket bucket = cluster.bucket("travel-sample");
cluster.query(args[1]);

Collection collection = bucket.defaultCollection();
collection.replace("airbnb_1", JsonObject.create().putNull(System.getenv("ITEM_CATEGORY")));
collection.upsert("airbnb_1", JsonObject.create().put("country", args[1]));
}
}
Loading