hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

support credentials in a Buffer

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-06-03 12:02:00 +02:00
parent ba44ebe8a8
commit a1940979ba
3 changed files with 40 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll
View File

@@ -21,11 +21,17 @@ module HardcodedCredentials {
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
or
trg.(StringOps::ConcatenationRoot).getALeaf() = src and
not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
or
exists(DataFlow::MethodCallNode bufferFrom |
bufferFrom = DataFlow::globalVarRef("Buffer").getAMethodCall("from") and
trg = bufferFrom and
src = bufferFrom.getArgument(0)
)
}
}
}

18
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View File

@@ -199,6 +199,15 @@ nodes
| HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
| HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
| HardcodedCredentials.js:221:46:221:49 | AUTH |
| HardcodedCredentials.js:231:11:231:29 | username |
| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' |
| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' |
| HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') |
| HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') |
| HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
| HardcodedCredentials.js:237:47:237:54 | username |
| HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
edges
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -292,6 +301,14 @@ edges
| HardcodedCredentials.js:216:43:216:46 | PASS | HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
| HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
| HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
| HardcodedCredentials.js:231:11:231:29 | username | HardcodedCredentials.js:237:47:237:54 | username |
| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:11:231:29 | username |
| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:11:231:29 | username |
| HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') |
| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') |
| HardcodedCredentials.js:237:47:237:54 | username | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
| HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
#select
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
@@ -356,3 +373,4 @@ edges
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | authorization headers |
| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization headers |
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization headers |
| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') | authorization headers |

16
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View File

@@ -223,4 +223,18 @@
method: 'get',
headers: headers
});
});
});
(async function () {
import fetch from 'node-fetch';
const username = 'sdsdag';
const password = config.get('some_actually_secrect_password');
const response = await fetch(ENDPOINT, {
method: 'get',
headers: {
'Content-Type': 'application/json',
Authorization: 'Basic ' + Buffer.from(username + ':' + password).toString('base64'),
},
});
})