recognize another kind of dummy passwords to fix an FP in hardcoded-credentials

2026-04-30 19:26:02 +02:00 · 2022-09-29 21:25:40 +02:00
parent 7ffbc738fb
commit 0a5ff1b79a
2 changed files with 13 additions and 1 deletions
--- a/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
@@ -213,6 +213,9 @@ module PasswordHeuristics {
      normalized
          .regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth|fake|(my(token|password))|string|foo|bar|baz|qux|1234|3141|abcd).*")
    )
+    or
+    // repeats the same char more than 10 times
+    password.regexpMatch(".*([a-zA-Z0-9])\\1{10,}.*")
  }

  /**
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -284,4 +284,13 @@
    require("http").request({auth: "user:fake token"}) // OK
    require("http").request({auth: "user:dcba"}) // OK
    require("http").request({auth: "user:custom string"}) // OK
-});
+});
+
+(function () {
+    // browser API
+    var headers = new Headers();
+    headers.append("Authorization", `Basic sdsdag:sdsdag`); // NOT OK
+    headers.append("Authorization", `Basic sdsdag:xxxxxxxxxxxxxx`); // OK
+    headers.append("Authorization", `Basic sdsdag:aaaiuogrweuibgbbbbb`); // NOT OK
+    headers.append("Authorization", `Basic sdsdag:000000000000001`); // OK
+});