Add Java security queries: cleartext LDAP, insecure JDBC cert, credentials in URL, IDOR

[felickz]

What

Adds five Java security queries, each with a Markdown help doc, under java/src/security. They cover transport-security and broken-access-control patterns that the default CodeQL Java suite and the existing community queries do not flag.

CWE	Query	Kind	What it finds
319	CleartextLdapUrl.ql	problem	An ldap:// URL configured on an LDAP context source (setUrl/setProviderUrl), transmitting bind credentials in cleartext
295	InsecureJdbcCertificateValidation.ql	problem	A JDBC URL containing trustServerCertificate=true, which accepts any server certificate (MITM)
598	CredentialsInOutboundUrl.ql	path-problem	A credential getter (getPassword/getSecret/...) whose value flows into the URL of an outbound HTTP client call
639	UserControlledRecordRetrieval.ql	path-problem	Read/disclosure IDOR: a @PathVariable id flowing into a repository finder (findById/...) with no per-record authorization check
639	InsecureDirectObjectReference.ql	problem	Modify IDOR: a state-changing Spring action keyed on a user-supplied id with no user/session check and no method-security annotation. Java analogue of cs/web/insecure-direct-object-reference

Why

These were found while reproducing a set of true positives that SAST missed on a sample Spring application. The two CWE-639 queries deliberately split IDOR into its two sub-classes:

• UserControlledRecordRetrieval (dataflow) covers the read/disclosure case.
• InsecureDirectObjectReference ports the C# InsecureDirectObjectReferenceQuery design (absence-of-authorization-check on a mutating action) to Spring MVC.

Validation

• All five compile clean with codeql query compile --warnings=error against codeql/java-all (CLI 2.25.6).
• Autoformatted with codeql query format.
• True positives confirmed on a sample Spring app (CLI 2.25.6 database):
  • CleartextLdapUrl -> ctx.setUrl("ldap://...")
  • InsecureJdbcCertificateValidation -> DriverManager.getConnection with trustServerCertificate=true
  • CredentialsInOutboundUrl -> props.getPassword() into restTemplate.getForObject(url)
  • UserControlledRecordRetrieval -> @PathVariable id into repository.findById(id)
• InsecureDirectObjectReference returns no result on that sample because its only id-bearing endpoint is a GET read; it is a faithful port of the first-party C# query, which targets state-changing actions. It fires on mutating endpoints (POST/PUT/DELETE/PATCH or edit/delete/modify/update/save/remove) that lack an authorization check.

Notes

• Queries are auto-included by the existing java.qls path glob (kinds problem/path-problem, precision medium and low); no suite changes needed.
• No use of getAQlClass or toString regex; regexpMatch is applied only to string values (names, URL literals).

[Copilot]

Pull request overview

Adds new Java security queries (and corresponding Markdown help) under java/src/security to detect additional transport-security and broken-access-control patterns not covered by default suites/community queries.

Changes:

• Introduces two CWE-639 IDOR-related queries (read/dataflow and write/heuristic) with docs.
• Adds new transport/security misconfiguration queries for cleartext LDAP and insecure JDBC TLS validation, with docs.
• Adds a dataflow query for credentials flowing into outbound HTTP request URLs, with docs.

Show a summary per file

File	Description
java/src/security/CWE-639/UserControlledRecordRetrieval.ql	New path-problem query for @PathVariable id flowing into repository findById-style calls.
java/src/security/CWE-639/UserControlledRecordRetrieval.md	Help doc for the record-retrieval IDOR (read/disclosure) query.
java/src/security/CWE-639/InsecureDirectObjectReference.ql	New problem query for mutating Spring controller actions keyed by id lacking authorization checks/annotations.
java/src/security/CWE-639/InsecureDirectObjectReference.md	Help doc for the mutating IDOR query.
java/src/security/CWE-598/CredentialsInOutboundUrl.ql	New path-problem query for credential getters flowing into outbound HTTP URL arguments.
java/src/security/CWE-598/CredentialsInOutboundUrl.md	Help doc for outbound-URL credential exposure.
java/src/security/CWE-319/CleartextLdapUrl.ql	New problem query for constant ldap:// URLs passed into LDAP context configuration calls.
java/src/security/CWE-319/CleartextLdapUrl.md	Help doc for cleartext LDAP URL configuration.
java/src/security/CWE-295/InsecureJdbcCertificateValidation.ql	New problem query for JDBC URLs containing trustServerCertificate=true.
java/src/security/CWE-295/InsecureJdbcCertificateValidation.md	Help doc for insecure JDBC TLS certificate validation configuration.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 10/10 changed files
• Comments generated: 4

[felickz]

@copilot why is this not compiling, it works with latest CodeQL version on my local machine

https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/actions/runs/28042925672/job/83013579419

[Copilot]

@copilot why is this not compiling, it works with latest CodeQL version on my local machine

https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/actions/runs/28042925672/job/83013579419

The CI was failing because getAValue() on SpringRequestMappingMethod was introduced in codeql/java-all@7.3.0 (CLI 2.21.4), but the project pins to CLI 2.21.1 which bundles codeql/java-all@7.1.3. In that version, the method is still called getValue().

Fixed in commit that replaces this.getAValue() with this.getValue() in InsecureDirectObjectReference.ql. Also addressed the other review issues while touching these files: switched getAStringArrayValue to getAStringValue for @PathVariable/@RequestParam annotation lookups (those attributes are single strings, not arrays), removed setUrls from the LDAP sink (it takes a String[] so the single-constant check never matched), and dropped the LDAP URL literal from the alert message to avoid surfacing embedded credentials in results.