Merge pull request #6398 from erik-krogh/authHeader

Approved by esbena
2026-04-28 10:15:14 +02:00 · 2021-08-03 02:04:35 -07:00
parent 394d3349ac f1f44ceee7
commit 07f6ce7f3b
5 changed files with 70 additions and 1 deletions
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -28,6 +28,9 @@ where
      not (
        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "password" and
        PasswordHeuristics::isDummyPassword(val)
+        or
+        sink.getNode().(Sink).getKind() = "authorization header" and
+        PasswordHeuristics::isDummyAuthHeader(val)
      ) and
      value = "The hard-coded value \"" + val + "\""
    )
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -188,4 +188,31 @@ module PasswordHeuristics {
      normalized.regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth).*")
    )
  }
+
+  /**
+   * Holds if `header` looks like a deliberately weak authentication header.
+   */
+  bindingset[header]
+  predicate isDummyAuthHeader(string header) {
+    isDummyPassword(header)
+    or
+    exists(string prefix, string suffix | prefix = getAnHTTPAuthenticationScheme() |
+      header.toLowerCase() = prefix + " " + suffix and
+      isDummyPassword(suffix)
+    )
+    or
+    header.trim().toLowerCase() = getAnHTTPAuthenticationScheme()
+  }
+
+  /**
+   * Gets a HTTP authentication scheme normalized to lowercase.
+   * From this list: https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
+   */
+  private string getAnHTTPAuthenticationScheme() {
+    result =
+      [
+        "Basic", "Bearer", "Digest", "HOBA", "Mutual", "Negotiate", "OAuth", "SCRAM-SHA-1",
+        "SCRAM-SHA-256", "vapid"
+      ].toLowerCase()
+  }
 }