hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

add qhelp recommendation that you can use an obvious placeholder value

Browse Source
This commit is contained in:
erik-krogh
2024-05-03 19:37:31 +02:00
parent b209fc67cb
commit 39a8b49222
3 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
View File

@@ -19,6 +19,10 @@
If possible, store configuration files including credential data separately from the source code,
in a secure location with restricted access.
</p>
<p>
If the credentials are a placeholder value, make sure the value is obviously a placeholder by
using a name such as <code>"SampleToken"</code> or <code>"MyPassword"</code>.
</p>
</recommendation>
<example>

13
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View File

@@ -274,6 +274,15 @@ nodes
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
edges
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -403,6 +412,9 @@ edges
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` |
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` | HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
#select
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -468,3 +480,4 @@ edges
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | authorization header |
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | authorization header |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |

3
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View File

@@ -297,4 +297,7 @@
(function () {
require('crypto').createHmac('sha256', 'mytoken'); // OK
require('crypto').createHmac('sha256', 'SampleToken'); // OK
require('crypto').createHmac('sha256', 'MyPassword'); // OK
require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
})();