Add fixed proposition for NodeJS

2026-04-25 08:45:14 +02:00 · 2023-06-20 17:22:56 +00:00
parent eb28266bcb
commit 36cb60c746
3 changed files with 24 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
@@ -33,6 +33,10 @@
    <code>username</code> and <code>password</code>, which can be set externally without hard-coding
    credentials in the source code.
  </p>
+
+  For example, in a NodeJS environment : 
+  <sample src="examples/HardcodedCredentialsHttpRequestFixed.js"/>
+
 </example>

 <example>
--- a/javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequest.js
+++ b/javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequest.js
@@ -11,8 +11,8 @@ headers.append('Authorization', 'Basic' + base64.encode(username + ":" + passwor

 fetch(url, {method:'GET',
        headers: headers,
-        //credentials: 'user:passwd'
+        credentials: `${user}:${passwd}`
       })
 .then(response => response.json())
 .then(json => console.log(json));
-//.done();
+.done();
--- a/javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequestFixed.js
+++ b/javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequestFixed.js
@@ -0,0 +1,18 @@
+let base64 = require('base-64');
+
+let url = 'http://example.org/auth';
+let username = process.env.USERNAME;
+let password = process.env.PASSWORD;
+
+let headers = new Headers();
+
+//headers.append('Content-Type', 'text/json');
+headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));
+
+fetch(url, {method:'GET',
+        headers: headers,
+        credentials: `${user}:${passwd}`
+       })
+.then(response => response.json())
+.then(json => console.log(json));
+.done();