Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5d79a8c

Browse files
alexrfordalexrford
committed
account for keyword args in rb/hardcoded-credentials and simplify query
1 parent f27dd45 commit 5d79a8c

2 files changed

Lines changed: 12 additions & 34 deletions

File tree

ql/src/queries/security/cwe-798/HardcodedCredentials.ql

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@
1515
import ruby
1616
import codeql_ruby.DataFlow
1717
import DataFlow::PathGraph
18-
private import codeql_ruby.typetracking.TypeTracker
1918
private import codeql_ruby.controlflow.CfgNodes
2019

2120
bindingset[char, fraction]
@@ -88,21 +87,21 @@ private predicate maybeCredentialName(string name) {
8887
not name.suffix(name.length() - 4) = "file"
8988
}
9089

91-
// A parameter that may represent a credential value
92-
private DataFlow::LocalSourceNode credentialParameter(TypeTracker t) {
93-
t.start() and
90+
// Positional parameter
91+
private DataFlow::Node credentialParameter() {
9492
exists(Method m, NamedParameter p, int idx |
95-
// TODO: this does not capture keyword params
9693
result.asParameter() = p and
9794
p = m.getParameter(idx) and
9895
maybeCredentialName(p.getName())
9996
)
100-
or
101-
exists(TypeTracker t2 | result = credentialParameter(t2).track(t2, t))
10297
}
10398

104-
private DataFlow::Node credentialParameter() {
105-
credentialParameter(TypeTracker::end()).flowsTo(result)
99+
// Keyword argument
100+
private Expr credentialKeywordArgument() {
101+
exists(MethodCall mc, string argKey |
102+
result = mc.getKeywordArgument(argKey) and
103+
maybeCredentialName(argKey)
104+
)
106105
}
107106

108107
// An equality check against a credential value
@@ -121,6 +120,8 @@ private Expr credentialComparison() {
121120
private predicate isCredentialSink(DataFlow::Node node) {
122121
node = credentialParameter()
123122
or
123+
node.asExpr().getExpr() = credentialKeywordArgument()
124+
or
124125
node.asExpr().getExpr() = credentialComparison()
125126
}
126127

@@ -150,4 +151,3 @@ class HardcodedCredentialsConfiguration extends DataFlow::Configuration {
150151
from DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialsConfiguration conf
151152
where conf.hasFlowPath(source, sink)
152153
select sink.getNode(), source, sink, "Use of $@.", source.getNode(), "hardcoded credentials"
153-
// TODO: debug duplicate rows

ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected

Lines changed: 2 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,52 +1,30 @@
11
edges
2-
| HardcodedCredentials.rb:1:23:1:30 | password : | HardcodedCredentials.rb:1:23:1:30 | password |
3-
| HardcodedCredentials.rb:1:23:1:30 | password : | HardcodedCredentials.rb:8:18:8:25 | password |
42
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | HardcodedCredentials.rb:1:23:1:30 | password |
5-
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | HardcodedCredentials.rb:1:23:1:30 | password : |
63
| HardcodedCredentials.rb:18:19:18:72 | ... + ... : | HardcodedCredentials.rb:1:23:1:30 | password |
7-
| HardcodedCredentials.rb:18:19:18:72 | ... + ... : | HardcodedCredentials.rb:1:23:1:30 | password : |
84
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : | HardcodedCredentials.rb:18:19:18:72 | ... + ... : |
95
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : | HardcodedCredentials.rb:23:19:23:20 | pw : |
106
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : | HardcodedCredentials.rb:23:19:23:20 | pw : |
117
| HardcodedCredentials.rb:23:19:23:20 | pw : | HardcodedCredentials.rb:1:23:1:30 | password |
12-
| HardcodedCredentials.rb:23:19:23:20 | pw : | HardcodedCredentials.rb:1:23:1:30 | password : |
13-
| HardcodedCredentials.rb:31:18:31:23 | passwd : | HardcodedCredentials.rb:31:18:31:23 | passwd |
14-
| HardcodedCredentials.rb:31:18:31:23 | passwd : | HardcodedCredentials.rb:32:7:32:12 | passwd |
158
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | HardcodedCredentials.rb:31:18:31:23 | passwd |
16-
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | HardcodedCredentials.rb:31:18:31:23 | passwd : |
179
nodes
1810
| HardcodedCredentials.rb:1:23:1:30 | password | semmle.label | password |
19-
| HardcodedCredentials.rb:1:23:1:30 | password | semmle.label | password |
20-
| HardcodedCredentials.rb:1:23:1:30 | password : | semmle.label | password : |
2111
| HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | semmle.label | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." |
22-
| HardcodedCredentials.rb:8:18:8:25 | password | semmle.label | password |
2312
| HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | semmle.label | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." |
2413
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | semmle.label | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : |
14+
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | semmle.label | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." |
2515
| HardcodedCredentials.rb:18:19:18:72 | ... + ... : | semmle.label | ... + ... : |
2616
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : | semmle.label | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : |
2717
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : | semmle.label | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : |
2818
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : | semmle.label | "4fQuzXef4f2yow8KWvIJTA==" : |
2919
| HardcodedCredentials.rb:23:19:23:20 | pw : | semmle.label | pw : |
3020
| HardcodedCredentials.rb:31:18:31:23 | passwd | semmle.label | passwd |
31-
| HardcodedCredentials.rb:31:18:31:23 | passwd | semmle.label | passwd |
32-
| HardcodedCredentials.rb:31:18:31:23 | passwd : | semmle.label | passwd : |
33-
| HardcodedCredentials.rb:32:7:32:12 | passwd | semmle.label | passwd |
3421
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | semmle.label | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : |
3522
#select
3623
| HardcodedCredentials.rb:1:23:1:30 | password | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | HardcodedCredentials.rb:1:23:1:30 | password | Use of $@. | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | hardcoded credentials |
37-
| HardcodedCredentials.rb:1:23:1:30 | password | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | HardcodedCredentials.rb:1:23:1:30 | password | Use of $@. | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | hardcoded credentials |
38-
| HardcodedCredentials.rb:1:23:1:30 | password | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : | HardcodedCredentials.rb:1:23:1:30 | password | Use of $@. | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | hardcoded credentials |
3924
| HardcodedCredentials.rb:1:23:1:30 | password | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : | HardcodedCredentials.rb:1:23:1:30 | password | Use of $@. | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | hardcoded credentials |
4025
| HardcodedCredentials.rb:1:23:1:30 | password | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : | HardcodedCredentials.rb:1:23:1:30 | password | Use of $@. | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | hardcoded credentials |
41-
| HardcodedCredentials.rb:1:23:1:30 | password | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : | HardcodedCredentials.rb:1:23:1:30 | password | Use of $@. | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | hardcoded credentials |
42-
| HardcodedCredentials.rb:1:23:1:30 | password | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : | HardcodedCredentials.rb:1:23:1:30 | password | Use of $@. | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | hardcoded credentials |
4326
| HardcodedCredentials.rb:1:23:1:30 | password | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : | HardcodedCredentials.rb:1:23:1:30 | password | Use of $@. | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | hardcoded credentials |
4427
| HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | Use of $@. | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | hardcoded credentials |
45-
| HardcodedCredentials.rb:8:18:8:25 | password | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | HardcodedCredentials.rb:8:18:8:25 | password | Use of $@. | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | hardcoded credentials |
46-
| HardcodedCredentials.rb:8:18:8:25 | password | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : | HardcodedCredentials.rb:8:18:8:25 | password | Use of $@. | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | hardcoded credentials |
47-
| HardcodedCredentials.rb:8:18:8:25 | password | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : | HardcodedCredentials.rb:8:18:8:25 | password | Use of $@. | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | hardcoded credentials |
48-
| HardcodedCredentials.rb:8:18:8:25 | password | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : | HardcodedCredentials.rb:8:18:8:25 | password | Use of $@. | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | hardcoded credentials |
4928
| HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | Use of $@. | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | hardcoded credentials |
29+
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | Use of $@. | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | hardcoded credentials |
5030
| HardcodedCredentials.rb:31:18:31:23 | passwd | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | HardcodedCredentials.rb:31:18:31:23 | passwd | Use of $@. | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | hardcoded credentials |
51-
| HardcodedCredentials.rb:31:18:31:23 | passwd | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | HardcodedCredentials.rb:31:18:31:23 | passwd | Use of $@. | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | hardcoded credentials |
52-
| HardcodedCredentials.rb:32:7:32:12 | passwd | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | HardcodedCredentials.rb:32:7:32:12 | passwd | Use of $@. | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | hardcoded credentials |

0 commit comments

Comments
 (0)