Annotations for passwords

joncard1 · July 13, 2023, 3:06pm

I’m not a big user of annotations, historically, and I only recently discovered “Pluggable Type Systems” in Java, so possibly this is a dumb question, but are there any annotation libraries where you can declare a variable or field something like “sensitive” and method parameters “insecure” so that the compiler can enforce good security control? Like, I envision declaring a variable “@sensitive val password = getPasswordFromSomewhere()” or a method like

def getPasswordFromSomewhere(): @sensitive String = { … }

(not sure about the syntax there; I’d like to declare that the result is @sensitive, not that the method does something sensitive, but maybe that’s not right) and a method like:

class MyLogger {
def debug(@insecure message: String, @insecure variable: Any) { … }
}

(I don’t know if this is a thing that annotations can do, but it would be nice if the compiler could infer that “val password: String” is @sensitive if getPasswordFromSomewhere is @sensitive, like how the compiler can trace a variable’s provenance and know that it may not be initialized)

and the compiler enforcing that you can’t write passwords to log files. I’ve taken a quick look at The Checker Framework, but didn’t see anything, though I intend to look more.

Thank you for reading and thank you for your patience if there’s an obvious answer I’ve overlooked.

jducoeur · July 13, 2023, 3:47pm

The usual Scala approach to this wouldn’t be with annotations, but with types. That is, don’t use String for this at all – instead, return a strong Password type from getPasswordFromSomewhere(). At that point, it is way easier to enforce proper behavior downstream – not a silver bullet, but a much more tractable problem.

In general, raw Strings, Ints, Longs and things like that are hard to use correctly. Using more-precise types reduces the scope for mistakes enormously, and it’s not unusual in Scala to use stronger types more or less exclusively.

SPOXY · July 13, 2023, 6:41pm

IntelliJ IDEA already tracks the flow of variables marked with the javax.annotation.Tainted annotation, but that currently seems to work in Java only.

BardurArantsson · July 13, 2023, 10:59pm

Seconded. Annotations are easy to forget. Just use a simple wrapper (and override toString, btw!).