Java: QL Query Detector for JHipster Generated CVE-2019-16303

[JLLeitschuh]

CVE ID(s)

• CVE-2019-16303

Report

Last year I found a widespread vulnerability where nearly the same vulnerable file existed in >15k repositories across GitHub. I eventually tracked down the root cause of this vulnerability to the project JHipster. JHipster is a code generator used to generate a basic MVC and microservice java applications. This code-generator contained a generator for creating a class RandomUtil. This class, when generated in it's complete form looked like this:

import org.apache.commons.lang3.RandomStringUtils;

/**
 * Utility class for generating random Strings.
 */
public final class RandomUtil {

    private static final int DEF_COUNT = 20;

    private RandomUtil() {
    }

    /**
     * Generate a password.
     *
     * @return the generated password.
     */
    public static String generatePassword() {
        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
    }

    /**
     * Generate an activation key.
     *
     * @return the generated activation key.
     */
    public static String generateActivationKey() {
        return RandomStringUtils.randomNumeric(DEF_COUNT);
    }

    /**
     * Generate a reset key.
     *
     * @return the generated reset key.
     */
    public static String generateResetKey() {
        return RandomStringUtils.randomNumeric(DEF_COUNT);
    }

    /**
     * Generate a unique series to validate a persistent token, used in the
     * authentication remember-me mechanism.
     *
     * @return the generated series data.
     */
    public static String generateSeriesData() {
        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
    }

    /**
     * Generate a persistent token, used in the authentication remember-me mechanism.
     *
     * @return the generated token data.
     */
    public static String generateTokenData() {
        return RandomStringUtils.randomAlphanumeric(DEF_COUNT);
    }
}

You can see that there are ~15k instances of this vulnerability across GitHub here:
https://github.com/search?l=Java&p=2&q=Utility+class+for+generating+random+Strings.+RandomUtil&type=Code

By working with the GitHub staff, we were able to extract 9k repositories from that search and ingest them into LGTM.com.
From there, the query was run against all Java projects on LGTM.com resulting in this query result.

• Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Hopefully at GitHub Universe? Maybe?

Result(s)

https://lgtm.com/query/8455949919266029298
The query returned 5,511 vulnerable projects.

CodeQL PR

github/codeql#4312

[ghsecuritylab]

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[ghsecuritylab]

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

[xcorail]

Created Hackerone report 1065403 for bounty 267738 : [180] Java: QL Query Detector for JHipster Generated CVE-2019-16303

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed