Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b360c8a

Browse files
am0o0am0o0
committed
Update hardcodedCredentials query file to only exclude 'jwt key' kind from with the isTestFile predicate.
According to expected test results, with a new query, the jwt sinks of __test__/ dir have been exluded from query results.
1 parent 5a18775 commit b360c8a

2 files changed

Lines changed: 38 additions & 18 deletions

File tree

javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql

Lines changed: 36 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -21,27 +21,45 @@ import semmle.javascript.filters.ClassifyFiles
2121
bindingset[s]
2222
predicate looksLikeATemplate(string s) { s.regexpMatch(".*((\\{\\{.*\\}\\})|(<.*>)|(\\(.*\\))).*") }
2323

24+
predicate updateMessageWithSourceValue(string value, DataFlow::Node source, DataFlow::Node sink) {
25+
exists(string val | val = source.getStringValue() |
26+
// exclude dummy passwords and templates
27+
not (
28+
sink.(Sink).(DefaultCredentialsSink).getKind() = ["password", "credentials", "token", "key"] and
29+
PasswordHeuristics::isDummyPassword(val)
30+
or
31+
sink.(Sink).getKind() = "authorization header" and
32+
PasswordHeuristics::isDummyAuthHeader(val)
33+
or
34+
looksLikeATemplate(val)
35+
) and
36+
value = "The hard-coded value \"" + val + "\""
37+
)
38+
}
39+
2440
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
2541
where
2642
cfg.hasFlowPath(source, sink) and
27-
not isTestFile(sink.getNode().getFile()) and
28-
// use source value in message if it's available
29-
if source.getNode().asExpr() instanceof ConstantString
43+
// sink kind is "jwt key" and source is constant string
44+
if
45+
sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
46+
// use source value in message if it's available
47+
source.getNode().asExpr() instanceof ConstantString
3048
then
31-
exists(string val | val = source.getNode().getStringValue() |
32-
// exclude dummy passwords and templates
33-
not (
34-
sink.getNode().(Sink).(DefaultCredentialsSink).getKind() =
35-
["password", "credentials", "token", "key"] and
36-
PasswordHeuristics::isDummyPassword(val)
37-
or
38-
sink.getNode().(Sink).getKind() = "authorization header" and
39-
PasswordHeuristics::isDummyAuthHeader(val)
40-
or
41-
looksLikeATemplate(val)
42-
) and
43-
value = "The hard-coded value \"" + val + "\""
44-
)
45-
else value = "This hard-coded value"
49+
not isTestFile(sink.getNode().getFile()) and
50+
updateMessageWithSourceValue(value, source.getNode(), sink.getNode())
51+
else
52+
// sink kind is "jwt key" and source is not constant string
53+
if
54+
sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
55+
not source.getNode().asExpr() instanceof ConstantString
56+
then not isTestFile(sink.getNode().getFile()) and value = "This hard-coded value"
57+
else
58+
// sink kind is not "jwt key" and source is constant string
59+
if
60+
not sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
61+
source.getNode().asExpr() instanceof ConstantString
62+
then updateMessageWithSourceValue(value, source.getNode(), sink.getNode())
63+
else value = "This hard-coded value"
4664
select source.getNode(), source, sink, value + " is used as $@.", sink.getNode(),
4765
sink.getNode().(Sink).getKind()

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -615,3 +615,5 @@ edges
615615
| HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:385:31:385:39 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:385:31:385:39 | secretKey | jwt key |
616616
| HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:399:17:399:25 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:399:17:399:25 | secretKey | jwt key |
617617
| HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:416:27:416:35 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:416:27:416:35 | secretKey | jwt key |
618+
| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | user name |
619+
| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | password |

0 commit comments

Comments
 (0)