hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Do not treat the empty string as a credential

Browse Source
This commit is contained in:
Asger F
2019-07-30 17:22:19 +01:00
parent 6d10731b8f
commit 378b0bfb74
2 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
View File

@@ -28,6 +28,10 @@ module HardcodedCredentials {
/** A constant string, considered as a source of hardcoded credentials. */
class ConstantStringSource extends Source, DataFlow::ValueNode {
override ConstantString astNode;
ConstantStringSource() {
not astNode.getStringValue() = ""
}
}
/**
@@ -37,11 +41,6 @@ module HardcodedCredentials {
class DefaultCredentialsSink extends Sink, DataFlow::ValueNode {
override CredentialsExpr astNode;
DefaultCredentialsSink() {
// Don't flag an empty user name
not (astNode.getCredentialsKind() = "user name" and astNode.getStringValue() = "")
}
override string getKind() { result = astNode.getCredentialsKind() }
}
}

11
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View File

@@ -144,3 +144,14 @@
}
});
})();
(function(){
var request = require('request');
let pass = getPassword() || '';
request.get(url, { // OK
'auth': {
'user': process.env.USER || '',
'pass': pass,
}
});
})();