Merge pull request #3609 from erik-krogh/CredFN

Approved by asgerf, esbena
2026-05-11 01:39:28 +02:00 · 2020-06-05 10:49:01 +01:00
parent ad2d1d531b e47770281a
commit 69a1e11c06
5 changed files with 212 additions and 10 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -260,6 +260,23 @@ module ClientRequest {
    }
  }

+  /** An expression that is used as a credential in a request. */
+  private class AuthorizationHeader extends CredentialsExpr {
+    AuthorizationHeader() {
+      exists(DataFlow::PropWrite write | write.getPropertyName().regexpMatch("(?i)authorization") |
+        this = write.getRhs().asExpr()
+      )
+      or
+      exists(DataFlow::MethodCallNode call | call.getMethodName() = ["append", "set"] |
+        call.getNumArgument() = 2 and
+        call.getArgument(0).getStringValue().regexpMatch("(?i)authorization") and
+        this = call.getArgument(1).asExpr()
+      )
+    }
+
+    override string getCredentialsKind() { result = "authorization header" }
+  }
+
  /**
   * A model of a URL request made using an implementation of the `fetch` API.
   */
@@ -267,18 +284,14 @@ module ClientRequest {
    DataFlow::Node url;

    FetchUrlRequest() {
-      exists(string moduleName, DataFlow::SourceNode callee | this = callee.getACall() |
-        (
-          moduleName = "node-fetch" or
-          moduleName = "cross-fetch" or
-          moduleName = "isomorphic-fetch"
-        ) and
-        callee = DataFlow::moduleImport(moduleName) and
+      exists(DataFlow::SourceNode fetch |
+        fetch = DataFlow::moduleImport(["node-fetch", "cross-fetch", "isomorphic-fetch"])
+        or
+        fetch = DataFlow::globalVarRef("fetch") // https://fetch.spec.whatwg.org/#fetch-api
+      |
+        this = fetch.getACall() and
        url = getArgument(0)
      )
-      or
-      this = DataFlow::globalVarRef("fetch").getACall() and
-      url = getArgument(0)
    }

    override DataFlow::Node getUrl() { result = url }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll
@@ -20,5 +20,18 @@ module HardcodedCredentials {
    override predicate isSource(DataFlow::Node source) { source instanceof Source }

    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
+      exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
+      or
+      trg.(StringOps::ConcatenationRoot).getALeaf() = src and
+      not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
+      or
+      exists(DataFlow::MethodCallNode bufferFrom |
+        bufferFrom = DataFlow::globalVarRef("Buffer").getAMethodCall("from") and
+        trg = bufferFrom and
+        src = bufferFrom.getArgument(0)
+      )
+    }
  }
 }