feat: US-005 - Create cr-security-002: Security-adjacent review in Kafka Java

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: LoCoBench Bot

benchmarks/ccb_codereview/cr-security-002/environment/Dockerfile

@@ -0,0 +1,29 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    openjdk-17-jdk \
+    python3 \
+    python3-pip \
+    curl \
+    jq \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /workspace
+
+# Clone Kafka at pinned tag 3.8.0
+RUN git clone --branch 3.8.0 --depth 1 https://github.com/apache/kafka.git . \
+    && git config --global user.email "test@example.com" \
+    && git config --global user.name "Test User"
+
+# Inject defects
+COPY inject_defects.sh /tmp/inject_defects.sh
+RUN chmod +x /tmp/inject_defects.sh && /tmp/inject_defects.sh
+
+# Set Java home
+ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+
+CMD ["/bin/bash"]

benchmarks/ccb_codereview/cr-security-002/environment/inject_defects.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+set -e
+
+# Defect 1 (critical): ScramSaslServer.java line 136 — invert iteration count check
+# Security impact: Allows weak credentials with low iteration counts to bypass SCRAM strength requirements
+FILE1="clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java"
+python3 -c "
+import sys
+with open('$FILE1', 'r') as f:
+    content = f.read()
+
+# Find and replace the iteration check (line 136)
+old = '''                        if (scramCredential.iterations() < mechanism.minIterations())
+                            throw new SaslException(\"Iterations \" + scramCredential.iterations() +  \" is less than the minimum \" + mechanism.minIterations() + \" for \" + mechanism);'''
+
+new = '''                        if (scramCredential.iterations() > mechanism.minIterations())
+                            throw new SaslException(\"Iterations \" + scramCredential.iterations() +  \" is less than the minimum \" + mechanism.minIterations() + \" for \" + mechanism);'''
+
+if old not in content:
+    print('ERROR: Defect 1 pattern not found in ScramSaslServer.java', file=sys.stderr)
+    sys.exit(1)
+
+content = content.replace(old, new, 1)
+
+with open('$FILE1', 'w') as f:
+    f.write(content)
+print('Defect 1 injected: Inverted iteration count check')
+"
+
+# Defect 2 (critical): ScramSaslServer.java line 226 — remove timing-safe comparison
+# Security impact: Enables timing attacks to extract credential hashes
+python3 -c "
+import sys
+with open('$FILE1', 'r') as f:
+    content = f.read()
+
+# Find and replace the timing-safe comparison (line 226-227)
+old = '''            if (!MessageDigest.isEqual(computedStoredKey, expectedStoredKey))
+                throw new SaslException(\"Invalid client credentials\");'''
+
+new = '''            if (!Arrays.equals(computedStoredKey, expectedStoredKey))
+                throw new SaslException(\"Invalid client credentials\");'''
+
+if old not in content:
+    print('ERROR: Defect 2 pattern not found in ScramSaslServer.java', file=sys.stderr)
+    sys.exit(1)
+
+content = content.replace(old, new, 1)
+
+with open('$FILE1', 'w') as f:
+    f.write(content)
+print('Defect 2 injected: Replaced timing-safe MessageDigest.isEqual with Arrays.equals')
+"
+
+# Defect 3 (high): SaslServerAuthenticator.java line 698 — remove session expiration calculation
+# Security impact: Sessions never expire even when credentials/tokens expire
+FILE2="clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java"
+python3 -c "
+import sys
+with open('$FILE2', 'r') as f:
+    content = f.read()
+
+# Find and comment out the sessionExpirationTimeNanos assignment (line 698)
+old = '''                sessionExpirationTimeNanos = authenticationEndNanos + 1000 * 1000 * retvalSessionLifetimeMs;'''
+
+new = '''                // sessionExpirationTimeNanos = authenticationEndNanos + 1000 * 1000 * retvalSessionLifetimeMs;'''
+
+if old not in content:
+    print('ERROR: Defect 3 pattern not found in SaslServerAuthenticator.java', file=sys.stderr)
+    sys.exit(1)
+
+content = content.replace(old, new, 1)
+
+with open('$FILE2', 'w') as f:
+    f.write(content)
+print('Defect 3 injected: Commented out session expiration time calculation')
+"
+
+# Defect 4 (critical): AclAuthorizer.scala line 522 — invert DENY ACL check
+# Security impact: Authorization bypass — DENY ACLs are ignored, allowing forbidden operations
+FILE3="core/src/main/scala/kafka/security/authorizer/AclAuthorizer.scala"
+python3 -c "
+import sys
+with open('$FILE3', 'r') as f:
+    content = f.read()
+
+# Find and invert the denyAclExists check in aclsAllowAccess (line 541)
+old = '''      isEmptyAclAndAuthorized(acls) || (!denyAclExists(acls) && allowAclExists(acls))'''
+
+new = '''      isEmptyAclAndAuthorized(acls) || (denyAclExists(acls) && allowAclExists(acls))'''
+
+if old not in content:
+    print('ERROR: Defect 4 pattern not found in AclAuthorizer.scala', file=sys.stderr)
+    sys.exit(1)
+
+content = content.replace(old, new, 1)
+
+with open('$FILE3', 'w') as f:
+    f.write(content)
+print('Defect 4 injected: Removed negation from denyAclExists check')
+"
+
+# Defect 5 (high): CredentialCache.java line 36 — remove credential class type validation
+# Security impact: Type confusion allows wrong credential type to be retrieved, bypassing auth checks
+FILE4="clients/src/main/java/org/apache/kafka/common/security/authenticator/CredentialCache.java"
+python3 -c "
+import sys
+with open('$FILE4', 'r') as f:
+    content = f.read()
+
+# Find and remove the credential class validation (lines 36-37)
+old = '''            if (cache.credentialClass() != credentialClass)
+                throw new IllegalArgumentException(\"Invalid credential class \" + credentialClass + \", expected \" + cache.credentialClass());'''
+
+new = '''            // Type check removed - cache can return any credential type
+            // if (cache.credentialClass() != credentialClass)
+            //     throw new IllegalArgumentException(\"Invalid credential class \" + credentialClass + \", expected \" + cache.credentialClass());'''
+
+if old not in content:
+    print('ERROR: Defect 5 pattern not found in CredentialCache.java', file=sys.stderr)
+    sys.exit(1)
+
+content = content.replace(old, new, 1)
+
+with open('$FILE4', 'w') as f:
+    f.write(content)
+print('Defect 5 injected: Removed credential class type validation')
+"
+
+echo "All 5 defects injected successfully"

benchmarks/ccb_codereview/cr-security-002/instruction.md

@@ -0,0 +1,52 @@
+# Code Review: Apache Kafka Security Defects
+
+You are reviewing a pull request to the Apache Kafka project (`apache/kafka` tag 3.8.0). The PR modifies authentication and authorization logic in the security subsystem.
+
+**Your task:** Find and fix **all injected defects** in the modified code.
+
+## Modified Files
+
+The PR touches 4 files in the Kafka security subsystem:
+
+1. `clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java`
+2. `clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java`
+3. `clients/src/main/java/org/apache/kafka/common/security/authenticator/CredentialCache.java`
+4. `core/src/main/scala/kafka/security/authorizer/AclAuthorizer.scala`
+
+These files handle SCRAM authentication, SASL server authentication, credential caching, and ACL-based authorization.
+
+## What to Look For
+
+Focus on security-critical defects including but not limited to:
+
+- **Authentication bypass**: Missing or inverted credential validation checks
+- **Authorization bypass**: Missing or inverted ACL permission checks
+- **Credential validation**: Weakened iteration counts, disabled timing-attack protections
+- **Token/session management**: Missing expiry checks, unsafe credential caching
+- **Input validation**: Missing bounds checks, unsafe string comparisons
+
+## Expected Output
+
+1. **Code fixes**: Apply your fixes directly to the files in `/workspace`
+2. **Review report**: Create `/workspace/review.json` with this structure:
+
+```json
+[
+  {
+    "file": "path/to/file.java",
+    "line": 123,
+    "severity": "critical",
+    "description": "Brief description of the defect",
+    "fix_applied": "Brief description of the fix"
+  }
+]
+```
+
+**Severity levels**: Use `critical` for authentication/authorization bypasses, `high` for credential validation weaknesses, `medium` for other security issues.
+
+## Notes
+
+- The workspace contains the full Kafka 3.8.0 source tree
+- All defects are realistic, subtle security bugs that could plausibly appear in code review
+- Some defects may require understanding interactions between multiple files
+- This is a **security-focused** review — prioritize finding all authentication and authorization defects

benchmarks/ccb_codereview/cr-security-002/task.toml

@@ -0,0 +1,51 @@
+version = "1.0"
+[metadata]
+name = "cr-security-002"
+description = "Review apache/kafka for injected security-adjacent defects: authentication bypass, unsafe deserialization, missing authorization checks, credential validation bypass, and token expiry check"
+license = "Apache-2.0"
+
+[task]
+id = "cr-security-002"
+repo = "kafka"
+category = "code-review"
+language = "java"
+difficulty = "hard"
+time_limit_sec = 1200
+
+[verification]
+type = "test"
+command = "bash /tests/test.sh"
+
+reward_type = "checklist"
+description = "F1 score for defect detection plus fix correctness with 2x weight for security-critical defects"
+[environment]
+build_timeout_sec = 1800.0
+
+[environment.setup_scripts]
+mcp_config = """#!/bin/bash
+# Setup Sourcegraph MCP if credentials provided
+if [ -n "$SOURCEGRAPH_ACCESS_TOKEN" ] && [ -n "$SOURCEGRAPH_URL" ]; then
+  echo "Setting up Sourcegraph MCP configuration..."
+  mkdir -p /root/.config/claude
+
+  cat > /root/.config/claude/mcp.json << 'EOF'
+{
+  "mcpServers": {
+    "sourcegraph": {
+      "command": "npx",
+      "args": ["-y", "@sourcegraph/mcp-server"],
+      "env": {
+        "SRC_ACCESS_TOKEN": "$SOURCEGRAPH_ACCESS_TOKEN",
+        "SOURCEGRAPH_URL": "$SOURCEGRAPH_URL"
+      }
+    }
+  }
+}
+EOF
+
+  echo "PASS MCP configuration created"
+else
+  echo "No Sourcegraph credentials provided, MCP disabled"
+fi
+exit 0
+"""

benchmarks/ccb_codereview/cr-security-002/tests/expected_defects.json

@@ -0,0 +1,52 @@
+[
+  {
+    "id": "defect-1",
+    "file": "clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java",
+    "line_start": 136,
+    "line_end": 137,
+    "type": "security",
+    "severity": "critical",
+    "description": "Iteration count validation inverted (< changed to >) — allows weak SCRAM credentials with iteration counts below the minimum threshold to bypass authentication strength requirements, enabling brute-force attacks on low-iteration password hashes.",
+    "cross_file": false
+  },
+  {
+    "id": "defect-2",
+    "file": "clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java",
+    "line_start": 226,
+    "line_end": 227,
+    "type": "security",
+    "severity": "critical",
+    "description": "Timing-safe comparison replaced with Arrays.equals — MessageDigest.isEqual() prevents timing attacks by using constant-time comparison; Arrays.equals() leaks credential hash information through execution timing, allowing attackers to extract stored keys byte-by-byte.",
+    "cross_file": false
+  },
+  {
+    "id": "defect-3",
+    "file": "clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java",
+    "line_start": 698,
+    "line_end": 698,
+    "type": "security",
+    "severity": "high",
+    "description": "Session expiration time calculation commented out — without setting sessionExpirationTimeNanos, authenticated sessions never expire even when delegation tokens or credentials expire, allowing indefinite access with revoked credentials.",
+    "cross_file": false
+  },
+  {
+    "id": "defect-4",
+    "file": "core/src/main/scala/kafka/security/authorizer/AclAuthorizer.scala",
+    "line_start": 541,
+    "line_end": 541,
+    "type": "security",
+    "severity": "critical",
+    "description": "DENY ACL check negation removed — the condition changed from !denyAclExists to denyAclExists, inverting the logic so DENY ACLs are required instead of forbidden. This allows operations that should be explicitly denied to proceed, bypassing ACL-based authorization.",
+    "cross_file": false
+  },
+  {
+    "id": "defect-5",
+    "file": "clients/src/main/java/org/apache/kafka/common/security/authenticator/CredentialCache.java",
+    "line_start": 36,
+    "line_end": 37,
+    "type": "security",
+    "severity": "high",
+    "description": "Credential class type validation removed — without the credentialClass() != credentialClass check, the cache can return credentials of the wrong type (e.g., SCRAM credentials when PLAIN was requested), causing type confusion that bypasses authentication checks in callback handlers.",
+    "cross_file": false
+  }
+]

benchmarks/ccb_codereview/cr-security-002/tests/expected_patches/defect-1.patch

@@ -0,0 +1,12 @@
+--- a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
++++ b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
+@@ -133,7 +133,7 @@ public class ScramSaslServer implements SaslServer {
+                         String authorizationIdFromClient = clientFirstMessage.authorizationId();
+                         if (!authorizationIdFromClient.isEmpty() && !authorizationIdFromClient.equals(username))
+                             throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username");
+
+-                        if (scramCredential.iterations() > mechanism.minIterations())
++                        if (scramCredential.iterations() < mechanism.minIterations())
+                             throw new SaslException("Iterations " + scramCredential.iterations() +  " is less than the minimum " + mechanism.minIterations() + " for " + mechanism);
+                         this.serverFirstMessage = new ServerFirstMessage(clientFirstMessage.nonce(),
+                                 serverNonce,

benchmarks/ccb_codereview/cr-security-002/tests/expected_patches/defect-2.patch

@@ -0,0 +1,11 @@
+--- a/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
++++ b/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslServer.java
+@@ -223,7 +223,7 @@ public class ScramSaslServer implements SaslServer {
+             byte[] expectedStoredKey = scramCredential.storedKey();
+             byte[] clientSignature = formatter.clientSignature(expectedStoredKey, clientFirstMessage, serverFirstMessage, clientFinalMessage);
+             byte[] computedStoredKey = formatter.storedKey(clientSignature, clientFinalMessage.proof());
+-            if (!Arrays.equals(computedStoredKey, expectedStoredKey))
++            if (!MessageDigest.isEqual(computedStoredKey, expectedStoredKey))
+                 throw new SaslException("Invalid client credentials");
+         } catch (InvalidKeyException e) {
+             throw new SaslException("Sasl client verification failed", e);

benchmarks/ccb_codereview/cr-security-002/tests/expected_patches/defect-3.patch

@@ -0,0 +1,11 @@
+--- a/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java
++++ b/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.java
+@@ -695,7 +695,7 @@ public class SaslServerAuthenticator implements Authenticator {
+                 else
+                     retvalSessionLifetimeMs = zeroIfNegative(Math.min(credentialExpirationMs - authenticationEndMs, connectionsMaxReauthMs));
+
+-                // sessionExpirationTimeNanos = authenticationEndNanos + 1000 * 1000 * retvalSessionLifetimeMs;
++                sessionExpirationTimeNanos = authenticationEndNanos + 1000 * 1000 * retvalSessionLifetimeMs;
+             }
+
+             if (credentialExpirationMs != null) {

benchmarks/ccb_codereview/cr-security-002/tests/expected_patches/defect-4.patch

@@ -0,0 +1,11 @@
+--- a/core/src/main/scala/kafka/security/authorizer/AclAuthorizer.scala
++++ b/core/src/main/scala/kafka/security/authorizer/AclAuthorizer.scala
+@@ -538,7 +538,7 @@ class AclAuthorizer extends Authorizer with Logging {
+       // we allow an operation if no acls are found and user has configured to allow all users
+       // when no acls are found or if no deny acls are found and at least one allow acls matches.
+       val acls = matchingAcls(resource.resourceType, resource.name)
+-      isEmptyAclAndAuthorized(acls) || (denyAclExists(acls) && allowAclExists(acls))
++      isEmptyAclAndAuthorized(acls) || (!denyAclExists(acls) && allowAclExists(acls))
+     }
+
+     // Evaluate if operation is allowed

benchmarks/ccb_codereview/cr-security-002/tests/expected_patches/defect-5.patch

@@ -0,0 +1,14 @@
+--- a/clients/src/main/java/org/apache/kafka/common/security/authenticator/CredentialCache.java
++++ b/clients/src/main/java/org/apache/kafka/common/security/authenticator/CredentialCache.java
+@@ -33,9 +33,8 @@ public class CredentialCache {
+     public <C> Cache<C> cache(String mechanism, Class<C> credentialClass) {
+         Cache<?> cache = cacheMap.get(mechanism);
+         if (cache != null) {
+-            // Type check removed - cache can return any credential type
+-            // if (cache.credentialClass() != credentialClass)
+-            //     throw new IllegalArgumentException("Invalid credential class " + credentialClass + ", expected " + cache.credentialClass());
++            if (cache.credentialClass() != credentialClass)
++                throw new IllegalArgumentException("Invalid credential class " + credentialClass + ", expected " + cache.credentialClass());
+             return (Cache<C>) cache;
+         } else
+             return null;