hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

normalize auth-headers to lowercase

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-08-03 09:09:47 +02:00
parent 87c0c60c22
commit 6b579dfad3
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
View File

@@ -197,15 +197,15 @@ module PasswordHeuristics {
isDummyPassword(header)
or
exists(string prefix, string suffix | prefix = getAnHTTPAuthenticationScheme() |
header = prefix + " " + suffix and
header.toLowerCase() = prefix + " " + suffix and
isDummyPassword(suffix)
)
or
header.trim() = getAnHTTPAuthenticationScheme()
header.trim().toLowerCase() = getAnHTTPAuthenticationScheme()
}
/**
* Gets a HTTP authentication scheme.
* Gets a HTTP authentication scheme normalized to lowercase.
* From this list: https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
*/
private string getAnHTTPAuthenticationScheme() {
@@ -213,6 +213,6 @@ module PasswordHeuristics {
[
"Basic", "Bearer", "Digest", "HOBA", "Mutual", "Negotiate", "OAuth", "SCRAM-SHA-1",
"SCRAM-SHA-256", "vapid"
]
].toLowerCase()
}
}