hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: use DataFlow::SourceNode in two additional locations

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2018-08-20 11:33:27 +02:00
parent 6950bfe915
commit 7607b6beff
1 changed files with 4 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
View File

@@ -165,10 +165,9 @@ module CleartextLogging {
ObjectPasswordPropertySource() {
exists (DataFlow::PropWrite write |
write.getPropertyName() = name and
name.regexpMatch(suspiciousPassword()) and
not name.regexpMatch(nonSuspicious()) and
this.(DataFlow::SourceNode).flowsTo(write.getBase()) and
write = this.(DataFlow::SourceNode).getAPropertyWrite(name) and
// avoid safe values assigned to presumably unsafe names
not write.getRhs() instanceof NonCleartextPassword
)
@@ -190,13 +189,11 @@ module CleartextLogging {
(
this.asExpr().(VarAccess).getName() = name
or
exists (DataFlow::PropRead read, DataFlow::Node base |
this = read and
base = read.getBase() and
read.getPropertyName() = name and
exists (DataFlow::SourceNode base |
this = base.getAPropertyRead(name) and
// avoid safe values assigned to presumably unsafe names
exists (DataFlow::SourceNode baseObj | baseObj.flowsTo(base) |
not baseObj.getAPropertyWrite(name).getRhs() instanceof NonCleartextPassword
not base.getAPropertyWrite(name).getRhs() instanceof NonCleartextPassword
)
)
)