Merge pull request #1314 from xiemaisi/js/fix-hardcoded-pw-fps

JavaScript: Further broaden the whitelist in `PasswordInConfigurationFile`.
2026-04-30 19:26:02 +02:00 · 2019-05-16 14:42:09 +01:00
parent c1e627d739 b478c0ddaa
commit 65cbd47a2d
2 changed files with 2 additions and 1 deletions
--- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
+++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -54,7 +54,7 @@ where
  (
    key.toLowerCase() = "password" and
    // exclude interpolations of environment variables
-    not val.regexpMatch("\\$\\w+|\\$[{(].+[)}]|%.*%")
+    not val.regexpMatch("\\$.*|%.*%")
    or
    key.toLowerCase() != "readme" and
    // look for `password=...`, but exclude `password=;`, `password="$(...)"`,
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
@@ -0,0 +1 @@
+password: $$SOME_VAR