Skip to content

Commit

Permalink
[5.0] Credscan (#50120)
Browse files Browse the repository at this point in the history 
* Port of dotnet/corefx#43051

* Shrink suppression file

* Update src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTest.cs

* Bump System.Net.TestData version

* fix setup_certificates.ps1

* Revert casing in connection string

* Update Rfc2898Tests.cs

* Fix connection string case

* Change suppression messages

* Fix typo

* more fixes

* Remove false positive

* fix usersecrets

Co-authored-by: Dan Moseley <danmose@microsoft.com>
  • Loading branch information
@danmoseley
Jan Jahoda and danmoseley authored Mar 26, 2021
1 parent 55e7712 commit aa235f8
Show file tree
Hide file tree
Showing 30 changed files with 117 additions and 181 deletions.
54 changes: 1 addition & 53 deletions .config/CredScanSuppressions.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,7 @@
"tool": "Credential Scanner",
"suppressions": [
{
"_justification": "Unit test containing connection strings under the test.",
"file": [
"src/libraries/System.Data.Common/tests/System/Data/Common/DbConnectionStringBuilderTest.cs"
]
},
{
"_justification": "Private key for testing purpose.",
"_justification": "Suppression approved. Private key for testing purpose.",
"file": [
"src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/DSA/DSAKeyPemTests.cs",
"src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyPemTests.cs",
Expand All @@ -19,52 +13,6 @@
"-----BEGIN PRIVATE KEY-----",
"-----BEGIN * PRIVATE KEY-----"
]
},
{
"_justification": "Test credential for Uri testing",
"file": [
"src/libraries/System.Net.Http/tests/UnitTests/HttpEnvironmentProxyTest.cs",
"src/libraries/System.Private.Uri/tests/ExtendedFunctionalTests/UriRelativeResolutionTest.cs",
"src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderRefreshTest.cs",
"src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuilderTests.cs",
"src/libraries/System.Private.Uri/tests/FunctionalTests/UriRelativeResolutionTest.cs",
"src/libraries/System.Runtime/tests/System/Uri.CreateStringTests.cs"
],
"placeholder": [
"//*:;&$=123USERINFO@",
"//*:bar@",
"//*:bar1@",
"//*:password1@",
"//*:psw@",
"//*:userinfo2@"
]
},
{
"_justification": "Generic test password.",
"file": [
"src/libraries/Common/tests/System/Net/Configuration.Certificates.cs",
"src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs",
"src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs",
"src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.DefaultProxyCredentials.cs",
"src/libraries/Common/tests/System/Net/Http/PostScenarioTest.cs",
"src/libraries/Common/tests/System/Net/Prerequisites/Deployment/setup_certificates.ps1",
"src/libraries/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs",
"src/libraries/System.Net.Http/tests/UnitTests/DigestAuthenticationTests.cs",
"src/libraries/System.Net.Http/tests/UnitTests/HttpEnvironmentProxyTest.cs",
"src/libraries/System.Net.Mail/tests/Functional/SmtpClientTest.cs",
"src/libraries/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs",
"src/libraries/System.Security.Cryptography.Xml/tests/TestHelpers.cs"
],
"placeholder": [
"\"anotherpassword\"",
"\"bar\"",
"\"mono\"",
"\"password1\"",
"\"rightpassword\"",
"\"testcertificate\"",
"\"unused\"",
"\"wrongpassword\""
]
}
]
}
2 changes: 1 addition & 1 deletion eng/Versions.props
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@
<SystemDrawingCommonTestDataVersion>5.0.0-beta.20377.1</SystemDrawingCommonTestDataVersion>
<SystemIOCompressionTestDataVersion>5.0.0-beta.20377.1</SystemIOCompressionTestDataVersion>
<SystemIOPackagingTestDataVersion>5.0.0-beta.20377.1</SystemIOPackagingTestDataVersion>
<SystemNetTestDataVersion>5.0.0-beta.20377.1</SystemNetTestDataVersion>
<SystemNetTestDataVersion>5.0.0-beta.21174.1</SystemNetTestDataVersion>
<SystemPrivateRuntimeUnicodeDataVersion>5.0.0-beta.20377.1</SystemPrivateRuntimeUnicodeDataVersion>
<SystemSecurityCryptographyX509CertificatesTestDataVersion>5.0.0-beta.20377.1</SystemSecurityCryptographyX509CertificatesTestDataVersion>
<SystemWindowsExtensionsTestDataVersion>5.0.0-beta.20377.1</SystemWindowsExtensionsTestDataVersion>
Expand Down
4 changes: 2 additions & 2 deletions src/libraries/Common/src/Interop/Windows/WinHttp/Interop.winhttp_types.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,10 +129,10 @@ internal partial class WinHttp
public const uint WINHTTP_AUTH_TARGET_PROXY = 0x00000001;

public const uint WINHTTP_OPTION_USERNAME = 0x1000;
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="It is property descriptor, not secret value.")]
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Suppression approved. It is property descriptor, not secret value.")]
public const uint WINHTTP_OPTION_PASSWORD = 0x1001;
public const uint WINHTTP_OPTION_PROXY_USERNAME = 0x1002;
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="It is property descriptor, not secret value.")]
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Suppression approved. It is property descriptor, not secret value.")]
public const uint WINHTTP_OPTION_PROXY_PASSWORD = 0x1003;

public const uint WINHTTP_OPTION_SERVER_SPN_USED = 106;
Expand Down
4 changes: 2 additions & 2 deletions src/libraries/Common/tests/System/Net/Configuration.Certificates.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ public static partial class Configuration
{
public static partial class Certificates
{
private const string CertificatePassword = "testcertificate";
private const string TestDataFolder = "TestData";
private const string CertificatePassword = "PLACEHOLDER";
private const string TestDataFolder = "TestDataCertificates";
private const int MutexTimeoutMs = 120_000;

private static readonly X509Certificate2 s_serverCertificate;
Expand Down
4 changes: 2 additions & 2 deletions src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -585,7 +585,7 @@ public async Task GetAsync_ServerNeedsNonStandardAuthAndSetCredential_StatusCode
await LoopbackServerFactory.CreateServerAsync(async (server, url) =>
{
HttpClientHandler handler = CreateHttpClientHandler();
handler.Credentials = new NetworkCredential("unused", "unused");
handler.Credentials = new NetworkCredential("unused", "PLACEHOLDER");
using (HttpClient client = CreateHttpClient(handler))
{
Task<HttpResponseMessage> getResponseTask = client.GetAsync(url);
Expand Down Expand Up @@ -1010,7 +1010,7 @@ await LoopbackServer.CreateClientAndServerAsync(async uri =>
$"Accept-Patch:{fold} text/example;charset=utf-8{newline}" +
$"Accept-Ranges:{fold} bytes{newline}" +
$"Age: {fold}12{newline}" +
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test dummy authorization.")]
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Suppression approved. Unit test dummy authorization.")]
$"Authorization: Bearer 63123a47139a49829bcd8d03005ca9d7{newline}" +
$"Allow: {fold}GET, HEAD{newline}" +
$"Alt-Svc:{fold} http/1.1=\"http2.example.com:8001\"; ma=7200{newline}" +
Expand Down
2 changes: 1 addition & 1 deletion src/libraries/Common/tests/System/Net/Http/PostScenarioTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ public abstract class PostScenarioTest : HttpClientHandlerTestBase
{
private const string ExpectedContent = "Test contest";
private const string UserName = "user1";
private const string Password = "password1";
private const string Password = "PLACEHOLDER";

public PostScenarioTest(ITestOutputHelper output) : base(output) { }

Expand Down
8 changes: 4 additions & 4 deletions src/libraries/Common/tests/System/Net/Prerequisites/Deployment/setup_certificates.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@

# Certificate configuration

$script:testDataUri = "https://github.com/dotnet/runtime-assets/archive/master.zip"
$script:testDataUri = "https://github.com/dotnet/runtime-assets/archive/release/5.0.zip"
$script:testData = "runtime-assets"
$script:certificatePath = "$($script:testData)\runtime-assets-master\System.Net.TestData"
$script:certificatePath = "$($script:testData)\src\System.Net.TestData\TestDataCertificates"

$script:clientPrivateKeyPath = Join-Path $script:certificatePath "testclient1_at_contoso.com.pfx"
$script:clientPrivateKeyPassword = "testcertificate"
$script:clientPrivateKeyPassword = "PLACEHOLDER"

$script:serverPrivateKeyPath = Join-Path $script:certificatePath "contoso.com.pfx"
$script:serverPrivateKeyPassword = "testcertificate"
$script:serverPrivateKeyPassword = "PLACEHOLDER"

Function GetFullPath($relativePath)
{
Expand Down
2 changes: 1 addition & 1 deletion ...s/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyFileTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ public void ReadNistP521EncryptedPkcs8_Pbes2_Aes128_Sha384()
public void ReadNistP521EncryptedPkcs8_Pbes2_Aes128_Sha384_PasswordBytes()
{
// PBES2, PBKDF2 (SHA384), AES128
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test key.")]
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Suppression approved. Unit test key.")]
const string base64 = @"
MIIBXTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI/JyXWyp/t3kCAggA
MAwGCCqGSIb3DQIKBQAwHQYJYIZIAWUDBAECBBA3H8mbFK5afB5GzIemCCQkBIIB
Expand Down
6 changes: 3 additions & 3 deletions ...Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyFileTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -764,7 +764,7 @@ public static void ReadPbes2Rc2EncryptedDiminishedDP()
public static void ReadPbes2Rc2EncryptedDiminishedDP_PasswordBytes()
{
// PBES2: PBKDF2 + RC2-128
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test key.")]
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Suppression approved. Unit test key.")]
const string base64 = @"
MIIBrjBIBgkqhkiG9w0BBQ0wOzAeBgkqhkiG9w0BBQwwEQQIKZEFT76zCFECAggA
AgEQMBkGCCqGSIb3DQMCMA0CAToECE1Yyzk6++IPBIIBYDDvaYLkET8eudcYLQMf
Expand All @@ -790,7 +790,7 @@ public static void ReadPbes2Rc2EncryptedDiminishedDP_PasswordBytes()
[Fact]
public static void ReadEncryptedDiminishedDP_EmptyPassword()
{
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test key.")]
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Suppression approved. Unit test key.")]
const string base64 = @"
MIIBgTAbBgkqhkiG9w0BBQMwDgQIJtjMez/9Gg4CAggABIIBYElq9UOOphEPU3b7
G/mV8M1uEdjigidMPih3b9IIJhrjMAEix2IjS+brFL7KRQgucpZZoaFU1utvkUHg
Expand All @@ -815,7 +815,7 @@ public static void ReadEncryptedDiminishedDP_EmptyPassword()
[Fact]
public static void ReadEncryptedDiminishedDP_EmptyPasswordBytes()
{
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Unit test key.")]
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Suppression approved. Unit test key.")]
const string base64 = @"
MIIBgTAbBgkqhkiG9w0BBQMwDgQIJtjMez/9Gg4CAggABIIBYElq9UOOphEPU3b7
G/mV8M1uEdjigidMPih3b9IIJhrjMAEix2IjS+brFL7KRQgucpZZoaFU1utvkUHg
Expand Down
6 changes: 3 additions & 3 deletions ...raries/Microsoft.Extensions.Configuration.UserSecrets/tests/ConfigurationExtensionTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,12 +112,12 @@ public void AddUserSecrets_DoesNotThrowsIfOptional()
public void AddUserSecrets_With_SecretsId_Passed_Explicitly()
{
var userSecretsId = Guid.NewGuid().ToString();
SetSecret(userSecretsId, "Facebook:AppSecret", "value1");
SetSecret(userSecretsId, "Facebook:PLACEHOLDER", "value1");

var builder = new ConfigurationBuilder().AddUserSecrets(userSecretsId);
var configuration = builder.Build();

Assert.Equal("value1", configuration["Facebook:AppSecret"]);
Assert.Equal("value1", configuration["Facebook:PLACEHOLDER"]);
}

[Fact]
Expand All @@ -128,7 +128,7 @@ public void AddUserSecrets_Does_Not_Fail_On_Non_Existing_File()
var builder = new ConfigurationBuilder().AddUserSecrets(userSecretsId);

var configuration = builder.Build();
Assert.Null(configuration["Facebook:AppSecret"]);
Assert.Null(configuration["Facebook:PLACEHOLDER"]);
Assert.False(File.Exists(secretFilePath));
}

Expand Down
62 changes: 31 additions & 31 deletions src/libraries/System.Data.Common/tests/System/Data/Common/DbConnectionStringBuilderTest.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1691,17 +1691,17 @@ public void EmbeddedCharTest1()

sb["Data Source"] = "testdb";
sb["User ID"] = "someuser";
sb["Password"] = "abcdef";
Assert.Equal("Data Source=testdb;User ID=someuser;Password=abcdef",
sb["Password"] = "PLACEHOLDER";
Assert.Equal("Data Source=testdb;User ID=someuser;Password=PLACEHOLDER",
sb.ConnectionString);

sb["Password"] = "abcdef#";
Assert.Equal("Data Source=testdb;User ID=someuser;Password=abcdef#",
sb["Password"] = "PLACEHOLDER#";
Assert.Equal("Data Source=testdb;User ID=someuser;Password=PLACEHOLDER#",
sb.ConnectionString);

// an embedded single-quote value will result in the value being delimieted with double quotes
sb["Password"] = "abc\'def";
Assert.Equal("Data Source=testdb;User ID=someuser;Password=\"abc\'def\"",
sb["Password"] = "PLACEHOLDER\'def";
Assert.Equal("Data Source=testdb;User ID=someuser;Password=\"PLACEHOLDER\'def\"",
sb.ConnectionString);

// an embedded double-quote value will result in the value being delimieted with single quotes
Expand All @@ -1717,39 +1717,39 @@ public void EmbeddedCharTest1()
sb.ConnectionString);

sb = new DbConnectionStringBuilder();
sb["PASSWORD"] = "abcdef1";
sb["PASSWORD"] = "PLACEHOLDERabcdef1";
sb["user id"] = "someuser";
sb["Data Source"] = "testdb";
Assert.Equal("PASSWORD=abcdef1;user id=someuser;Data Source=testdb",
Assert.Equal("PASSWORD=PLACEHOLDERabcdef1;user id=someuser;Data Source=testdb",
sb.ConnectionString);

// case is preserved for a keyword that was added the first time
sb = new DbConnectionStringBuilder();
sb["PassWord"] = "abcdef2";
sb["PassWord"] = "PLACEHOLDERabcdef2";
sb["uSER iD"] = "someuser";
sb["DaTa SoUrCe"] = "testdb";
Assert.Equal("PassWord=abcdef2;uSER iD=someuser;DaTa SoUrCe=testdb",
Assert.Equal("PassWord=PLACEHOLDERabcdef2;uSER iD=someuser;DaTa SoUrCe=testdb",
sb.ConnectionString);
sb["passWORD"] = "abc123";
Assert.Equal("PassWord=abc123;uSER iD=someuser;DaTa SoUrCe=testdb",
sb["passWORD"] = "PLACEHOLDERabc123";
Assert.Equal("PassWord=PLACEHOLDERabc123;uSER iD=someuser;DaTa SoUrCe=testdb",
sb.ConnectionString);

// embedded equal sign in the value will cause the value to be
// delimited with double-quotes
sb = new DbConnectionStringBuilder();
sb["Password"] = "abc=def";
sb["Password"] = "PLACEHOLDER=def";
sb["Data Source"] = "testdb";
sb["User ID"] = "someuser";
Assert.Equal("Password=\"abc=def\";Data Source=testdb;User ID=someuser",
Assert.Equal("Password=\"PLACEHOLDER=def\";Data Source=testdb;User ID=someuser",
sb.ConnectionString);

// embedded semicolon in the value will cause the value to be
// delimited with double-quotes
sb = new DbConnectionStringBuilder();
sb["Password"] = "abc;def";
sb["Password"] = "PLACEHOLDER;def";
sb["Data Source"] = "testdb";
sb["User ID"] = "someuser";
Assert.Equal("Password=\"abc;def\";Data Source=testdb;User ID=someuser",
Assert.Equal("Password=\"PLACEHOLDER;def\";Data Source=testdb;User ID=someuser",
sb.ConnectionString);

// more right parentheses then left parentheses - happily takes it
Expand Down Expand Up @@ -1866,32 +1866,32 @@ public void EmbeddedCharTest3()
DbConnectionStringBuilder sb;

sb = new DbConnectionStringBuilder();
sb.ConnectionString = "User ID=SCOTT;Password=TiGeR;Data Source=" + dataSource;
sb.ConnectionString = "User ID=SCOTT;Password=PLACEHOLDER;Data Source=" + dataSource;
Assert.Equal(dataSource, sb["Data Source"]);
Assert.Equal("SCOTT", sb["User ID"]);
Assert.Equal("TiGeR", sb["Password"]);
Assert.Equal("PLACEHOLDER", sb["Password"]);
Assert.Equal(
"user id=SCOTT;password=TiGeR;data source=\"(DESCRIPTION=(ADDRESS=(PROTOCOL=" +
"user id=SCOTT;password=PLACEHOLDER;data source=\"(DESCRIPTION=(ADDRESS=(PROTOCOL=" +
"TCP)(HOST=192.168.1.101)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)" +
"(SERVICE_NAME=TESTDB)))\"", sb.ConnectionString);

sb = new DbConnectionStringBuilder(false);
sb.ConnectionString = "User ID=SCOTT;Password=TiGeR;Data Source=" + dataSource;
sb.ConnectionString = "User ID=SCOTT;Password=PLACEHOLDER;Data Source=" + dataSource;
Assert.Equal(dataSource, sb["Data Source"]);
Assert.Equal("SCOTT", sb["User ID"]);
Assert.Equal("TiGeR", sb["Password"]);
Assert.Equal("PLACEHOLDER", sb["Password"]);
Assert.Equal(
"user id=SCOTT;password=TiGeR;data source=\"(DESCRIPTION=(ADDRESS=(PROTOCOL=" +
"user id=SCOTT;password=PLACEHOLDER;data source=\"(DESCRIPTION=(ADDRESS=(PROTOCOL=" +
"TCP)(HOST=192.168.1.101)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)" +
"(SERVICE_NAME=TESTDB)))\"", sb.ConnectionString);

sb = new DbConnectionStringBuilder(true);
sb.ConnectionString = "User ID=SCOTT;Password=TiGeR;Data Source=" + dataSource;
sb.ConnectionString = "User ID=SCOTT;Password=PLACEHOLDER;Data Source=" + dataSource;
Assert.Equal(dataSource, sb["Data Source"]);
Assert.Equal("SCOTT", sb["User ID"]);
Assert.Equal("TiGeR", sb["Password"]);
Assert.Equal("PLACEHOLDER", sb["Password"]);
Assert.Equal(
"user id=SCOTT;password=TiGeR;data source=(DESCRIPTION=(ADDRESS=(PROTOCOL=" +
"user id=SCOTT;password=PLACEHOLDER;data source=(DESCRIPTION=(ADDRESS=(PROTOCOL=" +
"TCP)(HOST=192.168.1.101)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)" +
"(SERVICE_NAME=TESTDB)))", sb.ConnectionString);
}
Expand All @@ -1902,24 +1902,24 @@ public void EmbeddedCharTest4()
DbConnectionStringBuilder sb;

sb = new DbConnectionStringBuilder();
sb.ConnectionString = "PassWord=abcdef2;uSER iD=someuser;DaTa SoUrCe=testdb";
sb.ConnectionString = "PassWord=PLACEHOLDER;user iD=someuser;DaTa SoUrCe=testdb";
sb["Integrated Security"] = "False";
Assert.Equal(
"password=abcdef2;user id=someuser;data source=testdb;Integrated Security=False",
"password=PLACEHOLDER;user id=someuser;data source=testdb;Integrated Security=False",
sb.ConnectionString);

sb = new DbConnectionStringBuilder(false);
sb.ConnectionString = "PassWord=abcdef2;uSER iD=someuser;DaTa SoUrCe=testdb";
sb.ConnectionString = "PassWord=PLACEHOLDER;uSER iD=someuser;DaTa SoUrCe=testdb";
sb["Integrated Security"] = "False";
Assert.Equal(
"password=abcdef2;user id=someuser;data source=testdb;Integrated Security=False",
"password=PLACEHOLDER;user id=someuser;data source=testdb;Integrated Security=False",
sb.ConnectionString);

sb = new DbConnectionStringBuilder(true);
sb.ConnectionString = "PassWord=abcdef2;uSER iD=someuser;DaTa SoUrCe=testdb";
sb.ConnectionString = "PassWord=PLACEHOLDER;uSER iD=someuser;DaTa SoUrCe=testdb";
sb["Integrated Security"] = "False";
Assert.Equal(
"password=abcdef2;user id=someuser;data source=testdb;Integrated Security=False",
"password=PLACEHOLDER;user id=someuser;data source=testdb;Integrated Security=False",
sb.ConnectionString);
}

Expand Down
Loading

0 comments on commit aa235f8

Please sign in to comment.