hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

don't report dummy authentication headers as hardcoded-crendentials

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-08-02 16:46:55 +02:00
parent 26881ec220
commit 87c0c60c22
4 changed files with 68 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View File

@@ -213,6 +213,16 @@ nodes
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
| HardcodedCredentials.js:246:42:246:51 | privateKey |
| HardcodedCredentials.js:246:42:246:51 | privateKey |
| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
| HardcodedCredentials.js:268:30:268:73 | `${foo ... Token}` |
| HardcodedCredentials.js:268:30:268:73 | `${foo ... Token}` |
| HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
| HardcodedCredentials.js:268:39:268:46 | 'Bearer' |
| HardcodedCredentials.js:268:39:268:46 | 'Bearer' |
| HardcodedCredentials.js:268:50:268:56 | 'OAuth' |
| HardcodedCredentials.js:268:50:268:56 | 'OAuth' |
edges
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -318,6 +328,13 @@ edges
| HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
| HardcodedCredentials.js:260:30:260:40 | `Basic foo` | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
| HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo ... Token}` |
| HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo ... Token}` |
| HardcodedCredentials.js:268:39:268:46 | 'Bearer' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
| HardcodedCredentials.js:268:39:268:46 | 'Bearer' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
| HardcodedCredentials.js:268:50:268:56 | 'OAuth' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
| HardcodedCredentials.js:268:50:268:56 | 'OAuth' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
#select
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |

22
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View File

@@ -249,4 +249,24 @@
jwt.verify(token, publicKey, function(err, decoded) {
console.log(decoded);
});
})();
})();
(async function () {
const fetch = require("node-fetch");
const rsp = await fetch(ENDPOINT, {
method: 'get',
headers: new fetch.Headers({
"Authorization": `Basic foo`, // OK - dummy password
"Content-Type": 'application/json'
})
});
const rsp2 = await fetch(ENDPOINT, {
method: 'get',
headers: new fetch.Headers({
"Authorization": `${foo ? 'Bearer' : 'OAuth'} ${accessToken}`, // OK - just a protocol selector
"Content-Type": 'application/json'
})
});
});