Python: Reduce the number of strings and ints identified and possible hard-coded credentials.

2026-04-30 11:15:13 +02:00 · 2019-05-31 15:31:29 +01:00
parent 66ba1079f3
commit 8d4a8a6c6b
1 changed files with 12 additions and 7 deletions
--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -53,6 +53,10 @@ predicate capitalized_word(StrConst str) {
    str.getText().regexpMatch("[A-Z][a-z]+")
 }

+predicate format_string(StrConst str) {
+    str.getText().matches("%{%}%")
+}
+
 predicate maybeCredential(ControlFlowNode f) {
    /* A string that is not too short and unlikely to be text or an identifier. */
    exists(StrConst str |
@@ -66,20 +70,21 @@ predicate maybeCredential(ControlFlowNode f) {
        /* Not too repetitive */
        exists(int chars |
            chars = char_count(str) |
-            chars > 20 or
-            chars > str.getText().length()/2
+            chars > 15 or
+            chars*3 > str.getText().length()*2
        ) and
        not possible_reflective_name(str.getText()) and
-        not capitalized_word(str)
+        not capitalized_word(str) and
+        not format_string(str)
    )
    or
-    /* Or, an integer with at least 8 digits */
+    /* Or, an integer with over 32 bits */
    exists(IntegerLiteral lit |
        f.getNode() = lit
        |
-        not exists(lit.getValue())
-        or
-        lit.getValue() > 10000000
+        not exists(lit.getValue()) and
+        /* Not a set of flags or round number */
+        not lit.getN().matches("%00%")
    )
 }