hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

add support for string concatenations and base64-encoding of hardcoded credentials

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-06-02 23:15:13 +02:00
parent b6dc94fccb
commit 3c802007a3
3 changed files with 40 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll
View File

@@ -20,5 +20,12 @@ module HardcodedCredentials {
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
or
trg.(StringOps::ConcatenationRoot).getALeaf() = src and
not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
}
}
}

39
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View File

@@ -162,11 +162,20 @@ nodes
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:170:11:170:25 | PASS |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' |
| HardcodedCredentials.js:175:30:175:33 | PASS |
| HardcodedCredentials.js:175:30:175:33 | PASS |
| HardcodedCredentials.js:171:11:171:25 | USER |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' |
| HardcodedCredentials.js:172:11:172:25 | PASS |
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' |
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' |
| HardcodedCredentials.js:173:11:173:49 | AUTH |
| HardcodedCredentials.js:173:18:173:49 | base64. ... PASS}`) |
| HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
| HardcodedCredentials.js:173:35:173:38 | USER |
| HardcodedCredentials.js:173:43:173:46 | PASS |
| HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
| HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
| HardcodedCredentials.js:178:37:178:40 | AUTH |
edges
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -225,10 +234,19 @@ edges
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:170:11:170:25 | PASS | HardcodedCredentials.js:175:30:175:33 | PASS |
| HardcodedCredentials.js:170:11:170:25 | PASS | HardcodedCredentials.js:175:30:175:33 | PASS |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:11:170:25 | PASS |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:11:170:25 | PASS |
| HardcodedCredentials.js:171:11:171:25 | USER | HardcodedCredentials.js:173:35:173:38 | USER |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
| HardcodedCredentials.js:172:11:172:25 | PASS | HardcodedCredentials.js:173:43:173:46 | PASS |
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:11:172:25 | PASS |
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:11:172:25 | PASS |
| HardcodedCredentials.js:173:11:173:49 | AUTH | HardcodedCredentials.js:178:37:178:40 | AUTH |
| HardcodedCredentials.js:173:18:173:49 | base64. ... PASS}`) | HardcodedCredentials.js:173:11:173:49 | AUTH |
| HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` | HardcodedCredentials.js:173:18:173:49 | base64. ... PASS}`) |
| HardcodedCredentials.js:173:35:173:38 | USER | HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
| HardcodedCredentials.js:173:43:173:46 | PASS | HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
| HardcodedCredentials.js:178:37:178:40 | AUTH | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
| HardcodedCredentials.js:178:37:178:40 | AUTH | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
#select
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
@@ -283,4 +301,5 @@ edges
| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | key |
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:175:30:175:33 | PASS | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:175:30:175:33 | PASS | authorization headers |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | authorization headers |
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | authorization headers |

5
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View File

@@ -165,14 +165,17 @@
})();
(async function () {
const base64 = require('base-64');
const fetch = require("node-fetch");
const USER = 'sdsdag';
const PASS = 'sdsdag';
const AUTH = base64.encode(`${USER}:${PASS}`);
const rsp = await fetch(ENDPOINT, {
method: 'get',
headers: new fetch.Headers({
'Authorization': PASS,
Authorization: `Basic ${AUTH}`,
'Content-Type': 'application/json'
})
});