mirror of
https://github.com/github/codeql.git
synced 2026-04-30 11:15:13 +02:00
ignore deliberately hardcoded password strings
This commit is contained in:
Esben Sparre Andreasen
@@ -214,7 +214,8 @@ module PasswordHeuristics {
|
||||
or
|
||||
exists(string normalized | normalized = password.toLowerCase() |
|
||||
count(normalized.charAt(_)) = 1 or
|
||||
normalized.regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth).*")
|
||||
normalized
|
||||
.regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth|fake|(my(token|password))|string|foo|bar|baz|qux|1234|3141|abcd).*")
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -17,6 +17,9 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.HardcodedCredentialsQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
bindingset[s]
|
||||
predicate looksLikeATemplate(string s) { s.regexpMatch(".*((\\{\\{.*\\}\\})|(<.*>)|(\\(.*\\))).*") }
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
|
||||
where
|
||||
cfg.hasFlowPath(source, sink) and
|
||||
@@ -24,13 +27,16 @@ where
|
||||
if source.getNode().asExpr() instanceof ConstantString
|
||||
then
|
||||
exists(string val | val = source.getNode().getStringValue() |
|
||||
// exclude dummy passwords
|
||||
// exclude dummy passwords and templates
|
||||
not (
|
||||
sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "password" and
|
||||
sink.getNode().(Sink).(DefaultCredentialsSink).getKind() =
|
||||
["password", "credentials", "token"] and
|
||||
PasswordHeuristics::isDummyPassword(val)
|
||||
or
|
||||
sink.getNode().(Sink).getKind() = "authorization header" and
|
||||
PasswordHeuristics::isDummyAuthHeader(val)
|
||||
or
|
||||
looksLikeATemplate(val)
|
||||
) and
|
||||
value = "The hard-coded value \"" + val + "\""
|
||||
)
|
||||
|
||||
@@ -386,9 +386,6 @@ edges
|
||||
#select
|
||||
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
|
||||
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
|
||||
| HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | The hard-coded value "user:hgfedcba" is used as $@. | HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | credentials |
|
||||
| HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | The hard-coded value "user:hgfedcba" is used as $@. | HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | credentials |
|
||||
| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | The hard-coded value "user:hgfedcba" is used as $@. | HardcodedCredentials.js:20:36:20:51 | getCredentials() | credentials |
|
||||
| HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | The hard-coded value "admin" is used as $@. | HardcodedCredentials.js:27:25:27:31 | 'admin' | user name |
|
||||
| HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | password |
|
||||
| HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | The hard-coded value "unknown-admin-name" is used as $@. | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | user name |
|
||||
@@ -449,15 +446,3 @@ edges
|
||||
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
|
||||
| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') | authorization header |
|
||||
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
|
||||
| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | The hard-coded value "user:{{ INSERT_HERE }}" is used as $@. | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | credentials |
|
||||
| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | The hard-coded value "user:token {{ INSERT_HERE }}" is used as $@. | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | credentials |
|
||||
| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | The hard-coded value "user:( INSERT_HERE )" is used as $@. | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | credentials |
|
||||
| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | The hard-coded value "user:{{ env.access_token }}" is used as $@. | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | credentials |
|
||||
| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | credentials |
|
||||
| HardcodedCredentials.js:280:36:280:50 | "user:12345678" | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | The hard-coded value "user:12345678" is used as $@. | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | credentials |
|
||||
| HardcodedCredentials.js:281:36:281:45 | "user:foo" | HardcodedCredentials.js:281:36:281:45 | "user:foo" | HardcodedCredentials.js:281:36:281:45 | "user:foo" | The hard-coded value "user:foo" is used as $@. | HardcodedCredentials.js:281:36:281:45 | "user:foo" | credentials |
|
||||
| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | The hard-coded value "user:mypassword" is used as $@. | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | credentials |
|
||||
| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | The hard-coded value "user:mytoken" is used as $@. | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | credentials |
|
||||
| HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | The hard-coded value "user:fake token" is used as $@. | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | credentials |
|
||||
| HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | The hard-coded value "user:dcba" is used as $@. | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | credentials |
|
||||
| HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | The hard-coded value "user:custom string" is used as $@. | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | credentials |
|
||||
|
||||
Reference in New Issue
Block a user