mirror of
https://github.com/github/codeql.git
synced 2026-04-29 18:55:14 +02:00
support more variants of the Headers API
This commit is contained in:
Erik Krogh Kristensen
@@ -1151,14 +1151,19 @@ module NodeJSLib {
|
||||
/** An expression that is passed as `http.request({ auth: <expr> }, ...)`. */
|
||||
class FetchAuthorization extends CredentialsExpr {
|
||||
FetchAuthorization() {
|
||||
this =
|
||||
moduleImport()
|
||||
.getAConstructorInvocation("Headers")
|
||||
.getArgument(0)
|
||||
.getALocalSource()
|
||||
.getAPropertyWrite("Authorization")
|
||||
.getRhs()
|
||||
.asExpr()
|
||||
exists(DataFlow::Node headers |
|
||||
headers = moduleImport().getAConstructorInvocation("Headers").getArgument(0)
|
||||
or
|
||||
headers = moduleImport().getACall().getOptionArgument(1, "headers")
|
||||
|
|
||||
this = headers.getALocalSource().getAPropertyWrite("Authorization").getRhs().asExpr()
|
||||
)
|
||||
or
|
||||
exists(DataFlow::MethodCallNode appendCall |
|
||||
appendCall = moduleImport().getAConstructorInvocation("Headers").getAMethodCall(["append", "set"]) and
|
||||
appendCall.getArgument(0).mayHaveStringValue("Authorization") and
|
||||
this = appendCall.getArgument(1).asExpr()
|
||||
)
|
||||
}
|
||||
|
||||
override string getCredentialsKind() { result = "authorization headers" }
|
||||
|
||||
@@ -173,9 +173,18 @@ nodes
|
||||
| HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
|
||||
| HardcodedCredentials.js:173:35:173:38 | USER |
|
||||
| HardcodedCredentials.js:173:43:173:46 | PASS |
|
||||
| HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:178:37:178:40 | AUTH |
|
||||
| HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:178:39:178:42 | AUTH |
|
||||
| HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:188:39:188:42 | AUTH |
|
||||
| HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:195:46:195:49 | AUTH |
|
||||
| HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:204:44:204:47 | AUTH |
|
||||
edges
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
|
||||
@@ -240,13 +249,22 @@ edges
|
||||
| HardcodedCredentials.js:172:11:172:25 | PASS | HardcodedCredentials.js:173:43:173:46 | PASS |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:11:172:25 | PASS |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:11:172:25 | PASS |
|
||||
| HardcodedCredentials.js:173:11:173:49 | AUTH | HardcodedCredentials.js:178:37:178:40 | AUTH |
|
||||
| HardcodedCredentials.js:173:11:173:49 | AUTH | HardcodedCredentials.js:178:39:178:42 | AUTH |
|
||||
| HardcodedCredentials.js:173:11:173:49 | AUTH | HardcodedCredentials.js:188:39:188:42 | AUTH |
|
||||
| HardcodedCredentials.js:173:11:173:49 | AUTH | HardcodedCredentials.js:195:46:195:49 | AUTH |
|
||||
| HardcodedCredentials.js:173:11:173:49 | AUTH | HardcodedCredentials.js:204:44:204:47 | AUTH |
|
||||
| HardcodedCredentials.js:173:18:173:49 | base64. ... PASS}`) | HardcodedCredentials.js:173:11:173:49 | AUTH |
|
||||
| HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` | HardcodedCredentials.js:173:18:173:49 | base64. ... PASS}`) |
|
||||
| HardcodedCredentials.js:173:35:173:38 | USER | HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
|
||||
| HardcodedCredentials.js:173:43:173:46 | PASS | HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
|
||||
| HardcodedCredentials.js:178:37:178:40 | AUTH | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:178:37:178:40 | AUTH | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:178:39:178:42 | AUTH | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:178:39:178:42 | AUTH | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:188:39:188:42 | AUTH | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:188:39:188:42 | AUTH | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:195:46:195:49 | AUTH | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:195:46:195:49 | AUTH | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:204:44:204:47 | AUTH | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
|
||||
| HardcodedCredentials.js:204:44:204:47 | AUTH | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
|
||||
#select
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
|
||||
@@ -301,5 +319,11 @@ edges
|
||||
| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | key |
|
||||
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
|
||||
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | authorization headers |
|
||||
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | authorization headers |
|
||||
|
||||
@@ -175,8 +175,35 @@
|
||||
const rsp = await fetch(ENDPOINT, {
|
||||
method: 'get',
|
||||
headers: new fetch.Headers({
|
||||
Authorization: `Basic ${AUTH}`,
|
||||
'Content-Type': 'application/json'
|
||||
"Authorization": `Basic ${AUTH}`,
|
||||
"Content-Type": 'application/json'
|
||||
})
|
||||
});
|
||||
|
||||
fetch(ENDPOINT, {
|
||||
method: 'post',
|
||||
body: JSON.stringify(body),
|
||||
headers: {
|
||||
"Content-Type": 'application/json',
|
||||
"Authorization": `Basic ${AUTH}`
|
||||
},
|
||||
})
|
||||
|
||||
var headers = new fetch.Headers({
|
||||
"Content-Type": 'application/json'
|
||||
});
|
||||
headers.append("Authorization", `Basic ${AUTH}`)
|
||||
fetch(ENDPOINT, {
|
||||
method: 'get',
|
||||
headers: headers
|
||||
});
|
||||
|
||||
var headers2 = new fetch.Headers({
|
||||
"Content-Type": 'application/json'
|
||||
});
|
||||
headers2.set("Authorization", `Basic ${AUTH}`)
|
||||
fetch(ENDPOINT, {
|
||||
method: 'get',
|
||||
headers: headers2
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user