JavaScript: Tweak PasswordInConfigurationFile alerts.

Only highlight first line, and include the password in the alert message.
2026-04-29 10:45:15 +02:00 · 2019-06-04 17:07:49 +01:00
parent 601ea22bfd
commit a4876270ec
3 changed files with 14 additions and 5 deletions
--- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
+++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -12,6 +12,7 @@
 */

 import javascript
+import semmle.javascript.RestrictedLocations

 /**
 * Holds if some JSON or YAML file contains a property with name `key`
@@ -45,7 +46,7 @@ predicate exclude(File f) {
  f.getExtension().toLowerCase() = "raml"
 }

-from string key, string val, Locatable valElement
+from string key, string val, Locatable valElement, string pwd
 where
  config(key, val, valElement) and
  val != "" and
@@ -53,13 +54,14 @@ where
  not val.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
  (
    key.toLowerCase() = "password" and
+    pwd = val and
    // exclude interpolations of environment variables
    not val.regexpMatch("\\$.*|%.*%")
    or
    key.toLowerCase() != "readme" and
    // look for `password=...`, but exclude `password=;`, `password="$(...)"`,
    // `password=%s` and `password==`
-    val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`])(?!%s)(?!=).*")
+    pwd = val.regexpCapture("(?is).*password\\s*=\\s*(?!;|\"?[$`]|%s|=)(\\S+).*", 1)
  ) and
  not exclude(valElement.getFile())
-select valElement, "Avoid plaintext passwords in configuration files."
+select (FirstLineOf)valElement, "Hard-coded password '" + pwd + "' in configuration file."
--- a/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
@@ -1,2 +1,3 @@
-| mysql-config.json:4:16:4:23 | "secret" | Avoid plaintext passwords in configuration files. |
-| tst4.json:2:10:2:38 | "script ... ecret'" | Avoid plaintext passwords in configuration files. |
+| mysql-config.json:4:16:4:23 | "secret" | Hard-coded password 'secret' in configuration file. |
+| tst4.json:2:10:2:38 | "script ... ecret'" | Hard-coded password ''secret'' in configuration file. |
+| tst7.yml:2:9:2:6 | \| | Hard-coded password 'abc' in configuration file. |
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
@@ -1 +1,7 @@
 password: $$SOME_VAR
+config: |
+    [mail]
+    host = smtp.mydomain.com
+    port = 25
+    username = sample_admin@mydomain.com
+    password = abc