JS: exclude keys from whitelist

Esben Sparre Andreasen · Esben Sparre Andreasen · commit a5645e168ab5 · 2019-09-16T10:13:18.000+02:00
diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -22,18 +22,11 @@ where
   // use source value in message if it's available
   if source.getNode().asExpr() instanceof ConstantString
   then
-    exists(string val, Sink sinkNode |
-      sinkNode = sink.getNode().(Sink) and
-      val = source.getNode().getStringValue()
-    |
-      (
-        (
-          sinkNode.(DefaultCredentialsSink).getKind() = "password" or
-          sinkNode.(DefaultCredentialsSink).getKind() = "key"
-        )
-        implies
-        // exclude dummy passwords
-        not PasswordHeuristics::isDummyPassword(val)
+    exists(string val | val = source.getNode().getStringValue() |
+      // exclude dummy passwords
+      not (
+        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "password" and
+        PasswordHeuristics::isDummyPassword(val)
       ) and
       value = "The hard-coded value \"" + val + "\""
     )
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -52,6 +52,8 @@ nodes
 | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' |
 | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" |
 | HardcodedCredentials.js:160:38:160:48 | "change_me" |
+| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
+| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
 edges
 | HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
 #select
@@ -106,3 +108,5 @@ edges
 | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | key |
 | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | key |
 | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | key |
+| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
+| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -157,5 +157,9 @@
 })();
 
 (function(){
-	require("cookie-session")({ secret: "change_me" });
+	require("cookie-session")({ secret: "change_me" }); // NOT OK
+	require('crypto').createHmac('sha256', 'change_me'); // NOT OK
+
+	var basicAuth = require('express-basic-auth');
+	basicAuth({users: { [adminName]: 'change_me' }});  // OK
 })();
