Merge pull request #6398 from erik-krogh/authHeader

Approved by esbena
2026-04-30 11:15:13 +02:00 · 2021-08-03 02:04:35 -07:00
parent 394d3349ac f1f44ceee7
commit 07f6ce7f3b
5 changed files with 70 additions and 1 deletions
--- a/javascript/change-notes/2021-08-03-hardcoded-auth-headers.md
+++ b/javascript/change-notes/2021-08-03-hardcoded-auth-headers.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Hard-coded credentials" (`js/hardcoded-credentials`) no longer flags deliberately weak authentication headers.
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -28,6 +28,9 @@ where
      not (
        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "password" and
        PasswordHeuristics::isDummyPassword(val)
+        or
+        sink.getNode().(Sink).getKind() = "authorization header" and
+        PasswordHeuristics::isDummyAuthHeader(val)
      ) and
      value = "The hard-coded value \"" + val + "\""
    )
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -188,4 +188,31 @@ module PasswordHeuristics {
      normalized.regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth).*")
    )
  }
+
+  /**
+   * Holds if `header` looks like a deliberately weak authentication header.
+   */
+  bindingset[header]
+  predicate isDummyAuthHeader(string header) {
+    isDummyPassword(header)
+    or
+    exists(string prefix, string suffix | prefix = getAnHTTPAuthenticationScheme() |
+      header.toLowerCase() = prefix + " " + suffix and
+      isDummyPassword(suffix)
+    )
+    or
+    header.trim().toLowerCase() = getAnHTTPAuthenticationScheme()
+  }
+
+  /**
+   * Gets a HTTP authentication scheme normalized to lowercase.
+   * From this list: https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
+   */
+  private string getAnHTTPAuthenticationScheme() {
+    result =
+      [
+        "Basic", "Bearer", "Digest", "HOBA", "Mutual", "Negotiate", "OAuth", "SCRAM-SHA-1",
+        "SCRAM-SHA-256", "vapid"
+      ].toLowerCase()
+  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -213,6 +213,16 @@ nodes
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
+| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
+| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
+| HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
+| HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
+| HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
+| HardcodedCredentials.js:268:39:268:46 | 'Bearer' |
+| HardcodedCredentials.js:268:39:268:46 | 'Bearer' |
+| HardcodedCredentials.js:268:50:268:56 | 'OAuth' |
+| HardcodedCredentials.js:268:50:268:56 | 'OAuth' |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -318,6 +328,13 @@ edges
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
+| HardcodedCredentials.js:260:30:260:40 | `Basic foo` | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
+| HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
+| HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
+| HardcodedCredentials.js:268:39:268:46 | 'Bearer' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
+| HardcodedCredentials.js:268:39:268:46 | 'Bearer' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
+| HardcodedCredentials.js:268:50:268:56 | 'OAuth' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
+| HardcodedCredentials.js:268:50:268:56 | 'OAuth' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -249,4 +249,24 @@
    jwt.verify(token, publicKey, function(err, decoded) {
        console.log(decoded);
    });
-})();
+})();
+
+(async function () {
+    const fetch = require("node-fetch");
+
+    const rsp = await fetch(ENDPOINT, {
+        method: 'get',
+        headers: new fetch.Headers({
+            "Authorization": `Basic foo`, // OK - dummy password
+            "Content-Type": 'application/json'
+        })
+    });
+
+    const rsp2 = await fetch(ENDPOINT, {
+        method: 'get',
+        headers: new fetch.Headers({
+            "Authorization": `${foo ? 'Bearer' : 'OAuth'} ${accessToken}`, // OK - just a protocol selector
+            "Content-Type": 'application/json'
+        })
+    });
+});