ignore deliberately hardcoded password strings

javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -17,6 +17,9 @@ import javascript
 import semmle.javascript.security.dataflow.HardcodedCredentialsQuery
 import DataFlow::PathGraph
 
+bindingset[s]
+predicate looksLikeATemplate(string s) { s.regexpMatch(".*((\\{\\{.*\\}\\})|(<.*>)|(\\(.*\\))).*") }
+
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
 where
   cfg.hasFlowPath(source, sink) and
@@ -24,13 +27,16 @@ where
   if source.getNode().asExpr() instanceof ConstantString
   then
     exists(string val | val = source.getNode().getStringValue() |
-      // exclude dummy passwords
+      // exclude dummy passwords and templates
       not (
-        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "password" and
+        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() =
+          ["password", "credentials", "token"] and
         PasswordHeuristics::isDummyPassword(val)
         or
         sink.getNode().(Sink).getKind() = "authorization header" and
         PasswordHeuristics::isDummyAuthHeader(val)
+        or
+        looksLikeATemplate(val)
       ) and
       value = "The hard-coded value \"" + val + "\""
     )