Added support for AWS.Credentials hardcoded credentials

2026-04-27 09:45:15 +02:00 · 2025-04-24 11:05:56 +02:00
parent f69037c176
commit 42d5b80e81
3 changed files with 25 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/AWS.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/AWS.qll
@@ -54,6 +54,13 @@ module AWS {
    result = getAWSConfig().asSource().getAPropertyWrite()
  }

+  /**
+   * Gets a data flow node representing an instance of `new AWS.Credentials(accessKeyId, secretAccessKey)`.
+   */
+  private DataFlow::Node getCredentialsCreationNode() {
+    result = getAWSImport().getMember("Credentials").getAnInstantiation().getReturn().asSource()
+  }
+
  /**
   * Holds if the `i`th argument of `invk` is an object hash for `AWS.Config`.
   */
@@ -109,6 +116,18 @@ module AWS {
          prop = "secretAccessKey"
        )
      )
+      or
+      // `new AWS.Credentials({ accessKeyId: <user>, secretAccessKey: <password> })`
+      exists(DataFlow::InvokeNode invk |
+        invk = getCredentialsCreationNode() and
+        (
+          this = invk.getArgument(0) and
+          kind = "user name"
+          or
+          this = invk.getArgument(1) and
+          kind = "password"
+        )
+      )
    }

    override string getCredentialsKind() { result = kind }
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -163,6 +163,8 @@
 | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | The hard-coded value "AccessID1" is used as $@. | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | user name |
 | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | The hard-coded value "SOMEACCESSKEY" is used as $@. | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | user name |
 | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | password |
+| HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | The hard-coded value "SOMEACCESSKEY" is used as $@. | HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | user name |
+| HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | password |
 | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | The hard-coded value "SOMEACCESSKEY" is used as $@. | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | user name |
 | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | password |
 | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | user name |
@@ -561,6 +563,8 @@ nodes
 | HardcodedCredentials.js:508:93:508:109 | "NotSoSecretKey1" | semmle.label | "NotSoSecretKey1" |
 | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | semmle.label | "SOMEACCESSKEY" |
 | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | semmle.label | "hgfedcba" |
+| HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | semmle.label | "SOMEACCESSKEY" |
+| HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | semmle.label | "hgfedcba" |
 | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | semmle.label | "SOMEACCESSKEY" |
 | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | semmle.label | "hgfedcba" |
 | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | semmle.label | 'dbuser' |
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -511,8 +511,8 @@
    AWS.config.secretAccessKey = "hgfedcba"; // $ Alert
    
    const creds = new AWS.Credentials(
-        "SOMEACCESSKEY", // $ MISSING: Alert
-        "hgfedcba" // $ MISSING: Alert
+        "SOMEACCESSKEY", // $ Alert
+        "hgfedcba" // $ Alert
    ); 
    AWS.config.setCredentials(creds);