Merge pull request #73 from esben-semmle/js/cleartext-logging-query

Approved by xiemaisi

javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -0,0 +1,26 @@
+| passwords.js:2:17:2:24 | password | Sensitive data returned by $@ is logged here. | passwords.js:2:17:2:24 | password | an access to password |
+| passwords.js:3:17:3:26 | o.password | Sensitive data returned by $@ is logged here. | passwords.js:3:17:3:26 | o.password | an access to password |
+| passwords.js:4:17:4:29 | getPassword() | Sensitive data returned by $@ is logged here. | passwords.js:4:17:4:29 | getPassword() | a call to getPassword |
+| passwords.js:5:17:5:31 | o.getPassword() | Sensitive data returned by $@ is logged here. | passwords.js:5:17:5:31 | o.getPassword() | a call to getPassword |
+| passwords.js:8:21:8:21 | x | Sensitive data returned by $@ is logged here. | passwords.js:10:11:10:18 | password | an access to password |
+| passwords.js:12:18:12:25 | password | Sensitive data returned by $@ is logged here. | passwords.js:12:18:12:25 | password | an access to password |
+| passwords.js:14:17:14:38 | name +  ... assword | Sensitive data returned by $@ is logged here. | passwords.js:14:31:14:38 | password | an access to password |
+| passwords.js:16:17:16:38 | `${name ... sword}` | Sensitive data returned by $@ is logged here. | passwords.js:16:29:16:36 | password | an access to password |
+| passwords.js:21:17:21:20 | obj1 | Sensitive data returned by $@ is logged here. | passwords.js:18:16:20:5 | {\\n      ... x\\n    } | an access to password |
+| passwords.js:26:17:26:20 | obj2 | Sensitive data returned by $@ is logged here. | passwords.js:24:12:24:19 | password | an access to password |
+| passwords.js:29:17:29:20 | obj3 | Sensitive data returned by $@ is logged here. | passwords.js:30:14:30:21 | password | an access to password |
+| passwords.js:78:17:78:38 | temp.en ... assword | Sensitive data returned by $@ is logged here. | passwords.js:77:37:77:53 | req.body.password | an access to password |
+| passwords.js:81:17:81:31 | `pw: ${secret}` | Sensitive data returned by $@ is logged here. | passwords.js:80:18:80:25 | password | an access to password |
+| passwords.js:93:21:93:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:93:39:93:46 | password | an access to password |
+| passwords.js:98:21:98:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:98:39:98:46 | password | an access to password |
+| passwords.js:105:21:105:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:105:39:105:46 | password | an access to password |
+| passwords.js:110:21:110:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:110:39:110:46 | password | an access to password |
+| passwords.js:114:25:114:50 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:114:43:114:50 | password | an access to password |
+| passwords.js:119:21:119:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:119:39:119:46 | password | an access to password |
+| passwords.js:122:17:122:49 | name +  ... tring() | Sensitive data returned by $@ is logged here. | passwords.js:122:31:122:38 | password | an access to password |
+| passwords.js:123:17:123:48 | name +  ... lueOf() | Sensitive data returned by $@ is logged here. | passwords.js:123:31:123:38 | password | an access to password |
+| passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
+| passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
+| passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
+| passwords_in_server_4.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_4.js:2:13:2:20 | password | an access to password |
+| passwords_in_server_5.js:8:17:8:17 | x | Sensitive data returned by $@ is logged here. | passwords_in_server_5.js:4:7:4:24 | req.query.password | an access to password |

javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.qlref

@@ -0,0 +1 @@
+Security/CWE-312/CleartextLogging.ql

javascript/ql/test/query-tests/Security/CWE-312/browser.js

@@ -0,0 +1,2 @@
+import foo from "foo";
+window.location;

javascript/ql/test/query-tests/Security/CWE-312/passwords.js

@@ -0,0 +1,124 @@
+(function() {
+    console.log(password); // NOT OK
+    console.log(o.password); // NOT OK
+    console.log(getPassword()); // NOT OK
+    console.log(o.getPassword()); // NOT OK
+
+    function myLog(x) {
+        console.log(x); // NOT OK
+    }
+    myLog(password);
+
+    console.info(password); // NOT OK
+
+    console.log(name + ", " + password); // NOT OK
+
+    console.log(`${name}, ${password}`); // NOT OK
+
+    var obj1 = {
+        password: x
+    };
+    console.log(obj1); // NOT OK
+
+    var obj2 = {
+        x: password
+    };
+    console.log(obj2); // NOT OK
+
+    var obj3 = {};
+    console.log(obj3);
+    obj3.x = password; // NOT OK
+
+    var fixed_password = "123";
+    console.log(fixed_password); // OK
+
+    console.log(messages.IncorrectPasswordError); // OK
+
+    console.log(this.hashed_password); // OK
+    console.log(login.wrappedJSObject.encryptedPassword); // OK
+    console.log(HTML5QQ.encodedPassword); // OK
+
+    console.log({password: crypt(pw)}); // OK
+    var actually_secure_password = crypt(password); // OK
+    console.log(actually_secure_password); // OK
+
+    var user1 = {};
+    user1.crypted_password = x();
+    console.log(user1); // OK
+
+    var user2 = {};
+    user2.password = hash();
+    console.log(user2); // OK
+
+    var user3 = {
+        password: encryptLib.encryptPassword(req.body.password)
+    };
+    console.log(user3); // OK
+
+    var actually_ok_password_1 = hashed1();
+    console.log(actually_ok_password_1);
+    var hashed2 = actually_ok_password_2();
+    console.log(hashed2); // OK
+
+    console.log(this._passwordMD5); // OK
+    console.log(this._password_sha); // OK
+
+    var utilityObject = {
+        passwordSet: function(){}
+    }
+    console.log(utilityObject); // OK
+
+    var displayedPassword = password? null: "(hidden)";
+    var config = {
+        password: displayedPassword
+    };
+    console.log(config); // OK
+
+    var temp = { encryptedPassword: req.body.password };
+    console.log(temp.encryptedPassword); // OK XXX
+
+    var secret = password;
+    console.log(`pw: ${secret}`); // NOT OK
+
+    function redact(kind, value) {
+        if (value && kind == 'password') {
+            return "********"
+        }
+        return value;
+    }
+
+    console.log("Password is: " + redact('password', password));
+
+    if (environment.isTestEnv()) {
+        console.log("Password is: " + password); // OK, but still flagged
+    }
+
+    if (environment.is(TEST)) {
+        // NB: for security reasons, we only log passwords in test environments
+        console.log("Password is: " + password); // OK, but still flagged
+    }
+
+
+    if (x.test(y)) {
+        f();
+        // ...
+        console.log("Password is: " + password); // NOT OK
+        // ...
+    }
+
+    if (environment.isTestEnv())
+        console.log("Password is: " + password); // OK, but still flagged
+
+    if (x.test(y)) {
+        if (f()) {
+            console.log("Password is: " + password); // NOT OK
+        }
+    }
+
+    if (!environment.isProduction()) {
+        console.log("Password is: " + password); // OK, but still flagged
+    }
+
+    console.log(name + ", " + password.toString()); // NOT OK
+    console.log(name + ", " + password.valueOf()); // NOT OK
+});

javascript/ql/test/query-tests/Security/CWE-312/passwords_in_browser1.js

@@ -0,0 +1,2 @@
+window.location;
+console.log(password);

javascript/ql/test/query-tests/Security/CWE-312/passwords_in_browser2.js

@@ -0,0 +1,2 @@
+import browser from "./browser";
+console.log(password);

javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_1.js

@@ -0,0 +1,6 @@
+var express = require('express');
+var app = express();
+app.get('/some/path', function() {
+})
+
+console.log(password);

javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_2.js

@@ -0,0 +1,3 @@
+require("foo");
+(function (req, res){});
+console.log(password);

javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_3.js

@@ -0,0 +1,2 @@
+var server = require("./server");
+console.log(password);

javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_4.js

@@ -0,0 +1,2 @@
+require("foo");
+console.log(password);

javascript/ql/test/query-tests/Security/CWE-312/passwords_in_server_5.js

@@ -0,0 +1,9 @@
+var express = require('express');
+var app = express();
+app.get('/some/path', function() {
+    f(req.query.password);
+})
+
+function f(x) {
+    console.log(x);
+}

javascript/ql/test/query-tests/Security/CWE-312/server.js

@@ -0,0 +1,2 @@
+require("foo");
+(function (req, res){})

javascript/ql/test/query-tests/Security/CWE-312/server2.js

@@ -0,0 +1,2 @@
+require("./server.js")
+require("./passwords_in_server_4.js")