Merge branch 'master' into js/improve-getAResponseDataNode

2026-04-30 19:26:02 +02:00 · 2019-09-17 13:18:41 +02:00
parent 9aa0e711b2 396a72db5f
commit ac6554b7da
220 changed files with 7667 additions and 2867 deletions
--- a/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js
+++ b/javascript/ql/test/query-tests/Declarations/UnusedVariable/UnusedIndexVariable.js
@@ -0,0 +1,6 @@
+function sum(xs, i) {
+  var res = 0;
+  for(;i++<xs.length;) // NOT OK, but flagged by js/unused-index-variable
+    res += xs[0];
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.expected
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.expected
@@ -0,0 +1,2 @@
+| UnusedIndexVariable2.js:3:8:3:20 | i++<xs.length | Index variable i is never used to access elements of xs. |
+| UnusedIndexVariable.js:3:16:3:26 | i<xs.length | Index variable i is never used to access elements of xs. |
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var i=0; i<xs.length; ++i)
+    res += xs[0]; // BAD: should be xs[i]
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.qlref
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable.qlref
@@ -0,0 +1 @@
+LanguageFeatures/UnusedIndexVariable.ql
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable2.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariable2.js
@@ -0,0 +1,6 @@
+function sum(xs, i) {
+  var res = 0;
+  for(;i++<xs.length;)
+    res += xs[0]; // BAD: should be xs[i]
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariableGood.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariableGood.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var i=0; i<xs.length; ++i)
+    res += xs[i];
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariableGood2.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/UnusedIndexVariableGood2.js
@@ -0,0 +1,6 @@
+function sum(xs) {
+  var res = 0;
+  for(var x of xs)
+    res += x;
+  return res;
+}
--- a/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/tst.js
+++ b/javascript/ql/test/query-tests/LanguageFeatures/UnusedIndexVariable/tst.js
@@ -0,0 +1,12 @@
+function isEmpty(xs) {
+  for(var i=0; i<xs.length; ++i)
+    return false;
+  return true;
+}
+
+function desk(xs) {
+  for(var i=0; i<xs.length; ++i)
+    if(xs[i] < xs[0])
+      return "yellow";
+  return [];
+}
--- a/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/tst.js
@@ -192,3 +192,8 @@ app.get('/some/path', function(req, res) {
 	var indirect = /'/;
 	return s.replace(indirect, ""); // NOT OK
 });
+
+(function (s) {
+	s.replace('"', '').replace('"', ''); // OK
+	s.replace("'", "").replace("'", ""); // OK
+});
--- a/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
@@ -1,3 +1,3 @@
-| mysql-config.json:4:16:4:23 | "secret" | Hard-coded password 'secret' in configuration file. |
+| mysql-config.json:4:16:4:25 | "abcdefgh" | Hard-coded password 'abcdefgh' in configuration file. |
 | tst4.json:2:10:2:38 | "script ... ecret'" | Hard-coded password ''secret'' in configuration file. |
 | tst7.yml:2:9:2:6 | \| | Hard-coded password 'abc' in configuration file. |
--- a/javascript/ql/test/query-tests/Security/CWE-313/mysql-config.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/mysql-config.json
@@ -1,6 +1,6 @@
 {
  "host"     : "localhost",
  "user"     : "me",
-  "password" : "secret",
+  "password" : "abcdefgh",
  "database" : "my_db"
-}
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst.yml
@@ -4,3 +4,4 @@ steps:
    OTHER_PASSWORD=`get password` yarn install
 username: <%= ENV['USERNAME'] %>
 password: <%= ENV['PASSWORD'] %>
+password: change_me
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -1,107 +1,112 @@
 nodes
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
-| HardcodedCredentials.js:8:19:8:34 | 'secretpassword' |
-| HardcodedCredentials.js:15:36:15:50 | "user:password" |
-| HardcodedCredentials.js:16:37:16:51 | "user:password" |
-| HardcodedCredentials.js:18:16:18:30 | "user:password" |
+| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
+| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" |
+| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" |
+| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" |
 | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
 | HardcodedCredentials.js:27:25:27:31 | 'admin' |
-| HardcodedCredentials.js:27:34:27:46 | 'supersecret' |
+| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' |
-| HardcodedCredentials.js:29:35:29:47 | 'supersecret' |
+| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' |
 | HardcodedCredentials.js:35:15:35:24 | 'username' |
-| HardcodedCredentials.js:35:27:35:36 | 'password' |
+| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' |
 | HardcodedCredentials.js:41:38:41:47 | 'username' |
-| HardcodedCredentials.js:41:67:41:76 | 'password' |
+| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' |
 | HardcodedCredentials.js:42:35:42:44 | 'username' |
-| HardcodedCredentials.js:42:64:42:73 | 'password' |
+| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' |
 | HardcodedCredentials.js:44:34:44:43 | 'username' |
-| HardcodedCredentials.js:44:63:44:72 | 'password' |
-| HardcodedCredentials.js:46:25:46:34 | 'password' |
+| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' |
+| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' |
 | HardcodedCredentials.js:53:27:53:36 | 'username' |
-| HardcodedCredentials.js:53:39:53:48 | 'password' |
+| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' |
 | HardcodedCredentials.js:56:21:56:30 | 'username' |
-| HardcodedCredentials.js:57:21:57:30 | 'password' |
+| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' |
 | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' |
 | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' |
 | HardcodedCredentials.js:69:28:69:37 | 'username' |
-| HardcodedCredentials.js:69:40:69:49 | 'password' |
+| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' |
 | HardcodedCredentials.js:70:28:70:37 | 'username' |
-| HardcodedCredentials.js:70:40:70:49 | 'password' |
+| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' |
 | HardcodedCredentials.js:72:23:72:32 | 'username' |
-| HardcodedCredentials.js:72:35:72:44 | 'password' |
+| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' |
 | HardcodedCredentials.js:75:21:75:30 | 'username' |
-| HardcodedCredentials.js:76:21:76:30 | 'password' |
+| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' |
 | HardcodedCredentials.js:84:38:84:47 | 'username' |
-| HardcodedCredentials.js:84:50:84:59 | 'password' |
+| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' |
 | HardcodedCredentials.js:86:44:86:53 | 'username' |
-| HardcodedCredentials.js:86:56:86:65 | 'password' |
+| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' |
 | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' |
 | HardcodedCredentials.js:98:18:98:21 | 'x1' |
 | HardcodedCredentials.js:99:16:99:19 | 'x2' |
 | HardcodedCredentials.js:100:25:100:28 | 'x3' |
 | HardcodedCredentials.js:101:19:101:22 | 'x4' |
-| HardcodedCredentials.js:102:14:102:17 | 'y1' |
-| HardcodedCredentials.js:103:17:103:20 | 'y2' |
-| HardcodedCredentials.js:104:27:104:30 | 'y3' |
-| HardcodedCredentials.js:105:19:105:22 | 'y4' |
-| HardcodedCredentials.js:106:16:106:19 | 'z1' |
+| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' |
+| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' |
+| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' |
+| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' |
+| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' |
 | HardcodedCredentials.js:112:19:112:22 | 'x5' |
-| HardcodedCredentials.js:113:19:113:22 | 'y5' |
-| HardcodedCredentials.js:130:44:130:58 | 'crypto secret' |
-| HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' |
-| HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" |
+| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' |
+| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' |
+| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' |
+| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" |
+| HardcodedCredentials.js:160:38:160:48 | "change_me" |
+| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
+| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
 edges
-| HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
+| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
-| HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | The hard-coded value "secretpassword" is used as $@. | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | password |
-| HardcodedCredentials.js:15:36:15:50 | "user:password" | HardcodedCredentials.js:15:36:15:50 | "user:password" | HardcodedCredentials.js:15:36:15:50 | "user:password" | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:15:36:15:50 | "user:password" | credentials |
-| HardcodedCredentials.js:16:37:16:51 | "user:password" | HardcodedCredentials.js:16:37:16:51 | "user:password" | HardcodedCredentials.js:16:37:16:51 | "user:password" | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:16:37:16:51 | "user:password" | credentials |
-| HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:20:36:20:51 | getCredentials() | credentials |
+| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
+| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | credentials |
+| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | credentials |
+| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:20:36:20:51 | getCredentials() | credentials |
 | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | The hard-coded value "admin" is used as $@. | HardcodedCredentials.js:27:25:27:31 | 'admin' | user name |
-| HardcodedCredentials.js:27:34:27:46 | 'supersecret' | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | The hard-coded value "supersecret" is used as $@. | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | password |
+| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | password |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | The hard-coded value "unknown-admin-name" is used as $@. | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | user name |
-| HardcodedCredentials.js:29:35:29:47 | 'supersecret' | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | The hard-coded value "supersecret" is used as $@. | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | password |
+| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | password |
 | HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:35:15:35:24 | 'username' | user name |
-| HardcodedCredentials.js:35:27:35:36 | 'password' | HardcodedCredentials.js:35:27:35:36 | 'password' | HardcodedCredentials.js:35:27:35:36 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:35:27:35:36 | 'password' | password |
+| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | password |
 | HardcodedCredentials.js:41:38:41:47 | 'username' | HardcodedCredentials.js:41:38:41:47 | 'username' | HardcodedCredentials.js:41:38:41:47 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:41:38:41:47 | 'username' | user name |
-| HardcodedCredentials.js:41:67:41:76 | 'password' | HardcodedCredentials.js:41:67:41:76 | 'password' | HardcodedCredentials.js:41:67:41:76 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:41:67:41:76 | 'password' | password |
+| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | password |
 | HardcodedCredentials.js:42:35:42:44 | 'username' | HardcodedCredentials.js:42:35:42:44 | 'username' | HardcodedCredentials.js:42:35:42:44 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:42:35:42:44 | 'username' | user name |
-| HardcodedCredentials.js:42:64:42:73 | 'password' | HardcodedCredentials.js:42:64:42:73 | 'password' | HardcodedCredentials.js:42:64:42:73 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:42:64:42:73 | 'password' | password |
+| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | password |
 | HardcodedCredentials.js:44:34:44:43 | 'username' | HardcodedCredentials.js:44:34:44:43 | 'username' | HardcodedCredentials.js:44:34:44:43 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:44:34:44:43 | 'username' | user name |
-| HardcodedCredentials.js:44:63:44:72 | 'password' | HardcodedCredentials.js:44:63:44:72 | 'password' | HardcodedCredentials.js:44:63:44:72 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:44:63:44:72 | 'password' | password |
-| HardcodedCredentials.js:46:25:46:34 | 'password' | HardcodedCredentials.js:46:25:46:34 | 'password' | HardcodedCredentials.js:46:25:46:34 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:46:25:46:34 | 'password' | password |
+| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | password |
+| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | password |
 | HardcodedCredentials.js:53:27:53:36 | 'username' | HardcodedCredentials.js:53:27:53:36 | 'username' | HardcodedCredentials.js:53:27:53:36 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:53:27:53:36 | 'username' | user name |
-| HardcodedCredentials.js:53:39:53:48 | 'password' | HardcodedCredentials.js:53:39:53:48 | 'password' | HardcodedCredentials.js:53:39:53:48 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:53:39:53:48 | 'password' | password |
+| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | password |
 | HardcodedCredentials.js:56:21:56:30 | 'username' | HardcodedCredentials.js:56:21:56:30 | 'username' | HardcodedCredentials.js:56:21:56:30 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:56:21:56:30 | 'username' | user name |
-| HardcodedCredentials.js:57:21:57:30 | 'password' | HardcodedCredentials.js:57:21:57:30 | 'password' | HardcodedCredentials.js:57:21:57:30 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:57:21:57:30 | 'password' | password |
+| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | password |
 | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | The hard-coded value "bearerToken" is used as $@. | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | token |
 | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | The hard-coded value "bearerToken" is used as $@. | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | token |
 | HardcodedCredentials.js:69:28:69:37 | 'username' | HardcodedCredentials.js:69:28:69:37 | 'username' | HardcodedCredentials.js:69:28:69:37 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:69:28:69:37 | 'username' | user name |
-| HardcodedCredentials.js:69:40:69:49 | 'password' | HardcodedCredentials.js:69:40:69:49 | 'password' | HardcodedCredentials.js:69:40:69:49 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:69:40:69:49 | 'password' | password |
+| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | password |
 | HardcodedCredentials.js:70:28:70:37 | 'username' | HardcodedCredentials.js:70:28:70:37 | 'username' | HardcodedCredentials.js:70:28:70:37 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:70:28:70:37 | 'username' | user name |
-| HardcodedCredentials.js:70:40:70:49 | 'password' | HardcodedCredentials.js:70:40:70:49 | 'password' | HardcodedCredentials.js:70:40:70:49 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:70:40:70:49 | 'password' | password |
+| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | password |
 | HardcodedCredentials.js:72:23:72:32 | 'username' | HardcodedCredentials.js:72:23:72:32 | 'username' | HardcodedCredentials.js:72:23:72:32 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:72:23:72:32 | 'username' | user name |
-| HardcodedCredentials.js:72:35:72:44 | 'password' | HardcodedCredentials.js:72:35:72:44 | 'password' | HardcodedCredentials.js:72:35:72:44 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:72:35:72:44 | 'password' | password |
+| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | password |
 | HardcodedCredentials.js:75:21:75:30 | 'username' | HardcodedCredentials.js:75:21:75:30 | 'username' | HardcodedCredentials.js:75:21:75:30 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:75:21:75:30 | 'username' | user name |
-| HardcodedCredentials.js:76:21:76:30 | 'password' | HardcodedCredentials.js:76:21:76:30 | 'password' | HardcodedCredentials.js:76:21:76:30 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:76:21:76:30 | 'password' | password |
+| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | password |
 | HardcodedCredentials.js:84:38:84:47 | 'username' | HardcodedCredentials.js:84:38:84:47 | 'username' | HardcodedCredentials.js:84:38:84:47 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:84:38:84:47 | 'username' | user name |
-| HardcodedCredentials.js:84:50:84:59 | 'password' | HardcodedCredentials.js:84:50:84:59 | 'password' | HardcodedCredentials.js:84:50:84:59 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:84:50:84:59 | 'password' | password |
+| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | password |
 | HardcodedCredentials.js:86:44:86:53 | 'username' | HardcodedCredentials.js:86:44:86:53 | 'username' | HardcodedCredentials.js:86:44:86:53 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:86:44:86:53 | 'username' | user name |
-| HardcodedCredentials.js:86:56:86:65 | 'password' | HardcodedCredentials.js:86:56:86:65 | 'password' | HardcodedCredentials.js:86:56:86:65 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:86:56:86:65 | 'password' | password |
+| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | password |
 | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | The hard-coded value "TOKEN" is used as $@. | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | token |
 | HardcodedCredentials.js:98:18:98:21 | 'x1' | HardcodedCredentials.js:98:18:98:21 | 'x1' | HardcodedCredentials.js:98:18:98:21 | 'x1' | The hard-coded value "x1" is used as $@. | HardcodedCredentials.js:98:18:98:21 | 'x1' | user name |
 | HardcodedCredentials.js:99:16:99:19 | 'x2' | HardcodedCredentials.js:99:16:99:19 | 'x2' | HardcodedCredentials.js:99:16:99:19 | 'x2' | The hard-coded value "x2" is used as $@. | HardcodedCredentials.js:99:16:99:19 | 'x2' | user name |
 | HardcodedCredentials.js:100:25:100:28 | 'x3' | HardcodedCredentials.js:100:25:100:28 | 'x3' | HardcodedCredentials.js:100:25:100:28 | 'x3' | The hard-coded value "x3" is used as $@. | HardcodedCredentials.js:100:25:100:28 | 'x3' | user name |
 | HardcodedCredentials.js:101:19:101:22 | 'x4' | HardcodedCredentials.js:101:19:101:22 | 'x4' | HardcodedCredentials.js:101:19:101:22 | 'x4' | The hard-coded value "x4" is used as $@. | HardcodedCredentials.js:101:19:101:22 | 'x4' | user name |
-| HardcodedCredentials.js:102:14:102:17 | 'y1' | HardcodedCredentials.js:102:14:102:17 | 'y1' | HardcodedCredentials.js:102:14:102:17 | 'y1' | The hard-coded value "y1" is used as $@. | HardcodedCredentials.js:102:14:102:17 | 'y1' | password |
-| HardcodedCredentials.js:103:17:103:20 | 'y2' | HardcodedCredentials.js:103:17:103:20 | 'y2' | HardcodedCredentials.js:103:17:103:20 | 'y2' | The hard-coded value "y2" is used as $@. | HardcodedCredentials.js:103:17:103:20 | 'y2' | password |
-| HardcodedCredentials.js:104:27:104:30 | 'y3' | HardcodedCredentials.js:104:27:104:30 | 'y3' | HardcodedCredentials.js:104:27:104:30 | 'y3' | The hard-coded value "y3" is used as $@. | HardcodedCredentials.js:104:27:104:30 | 'y3' | password |
-| HardcodedCredentials.js:105:19:105:22 | 'y4' | HardcodedCredentials.js:105:19:105:22 | 'y4' | HardcodedCredentials.js:105:19:105:22 | 'y4' | The hard-coded value "y4" is used as $@. | HardcodedCredentials.js:105:19:105:22 | 'y4' | password |
-| HardcodedCredentials.js:106:16:106:19 | 'z1' | HardcodedCredentials.js:106:16:106:19 | 'z1' | HardcodedCredentials.js:106:16:106:19 | 'z1' | The hard-coded value "z1" is used as $@. | HardcodedCredentials.js:106:16:106:19 | 'z1' | token |
+| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | password |
+| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | password |
+| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | password |
+| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | password |
+| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | token |
 | HardcodedCredentials.js:112:19:112:22 | 'x5' | HardcodedCredentials.js:112:19:112:22 | 'x5' | HardcodedCredentials.js:112:19:112:22 | 'x5' | The hard-coded value "x5" is used as $@. | HardcodedCredentials.js:112:19:112:22 | 'x5' | user name |
-| HardcodedCredentials.js:113:19:113:22 | 'y5' | HardcodedCredentials.js:113:19:113:22 | 'y5' | HardcodedCredentials.js:113:19:113:22 | 'y5' | The hard-coded value "y5" is used as $@. | HardcodedCredentials.js:113:19:113:22 | 'y5' | password |
-| HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | The hard-coded value "crypto secret" is used as $@. | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | key |
-| HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | The hard-coded value "crypto-js/aes secret" is used as $@. | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | key |
-| HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | The hard-coded value "cookie-session secret" is used as $@. | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | key |
+| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | password |
+| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | key |
+| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | key |
+| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | key |
+| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
+| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -5,17 +5,17 @@
        user: 'dbuser',
        host: 'database.server.com',
        database: 'mydb',
-        password: 'secretpassword',
+        password: 'abcdefgh',
        port: 3211,
    }); // NOT OK
    client.connect();
 })();

 (function() {
-    require("http").request({auth: "user:password"});  // NOT OK
-    require("https").request({auth: "user:password"}); // NOT OK
+    require("http").request({auth: "user:abcdefgh"});  // NOT OK
+    require("https").request({auth: "user:abcdefgh"}); // NOT OK
    function getCredentials() {
-        return "user:password";
+        return "user:abcdefgh";
    }
    require("http").request({auth: getCredentials()}); // NOT OK
    require("http").request({auth: getUnknownCredentials()}); // OK
@@ -24,37 +24,37 @@
 (function() {
    var basicAuth = require('express-basic-auth');

-    basicAuth({users: { 'admin': 'supersecret' }});  // NOT OK
+    basicAuth({users: { 'admin': 'abcdefgh' }});  // NOT OK
    var users = {};
-    users['unknown-admin-name'] = 'supersecret';
+    users['unknown-admin-name'] = 'abcdefgh';
    basicAuth({users: users})  // NOT OK
 })();

 (function() {
    var basicAuth = require('basic-auth-connect');
-    basicAuth('username', 'password'); // NOT OK
+    basicAuth('username', 'abcdefgh'); // NOT OK
    basicAuth(function(){}); // OK
 })();

 (function() {
    var AWS = require('aws-sdk');
-    AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
-    new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
+    AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
+    new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
    var config = new AWS.Config();
-    config.update({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
+    config.update({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
    var o = {};
-    o.secretAccessKey = 'password';
+    o.secretAccessKey = 'abcdefgh';
    config.update(o); // NOT OK
 })();

 (function() {
    var request = require('request');

-    request.get(url).auth('username', 'password'); // NOT OK
+    request.get(url).auth('username', 'abcdefgh'); // NOT OK
    request.get(url, { // NOT OK
        'auth': {
            'user': 'username',
-            'pass': 'password'
+            'pass': 'abcdefgh'
        }
    });

@@ -66,14 +66,14 @@
        }
    });

-    request.post(url).auth('username', 'password'); // NOT OK
-    request.head(url).auth('username', 'password'); // NOT OK
+    request.post(url).auth('username', 'abcdefgh'); // NOT OK
+    request.head(url).auth('username', 'abcdefgh'); // NOT OK

-    request(url).auth('username', 'password'); // NOT OK
+    request(url).auth('username', 'abcdefgh'); // NOT OK
    request(url, { // NOT OK
        'auth': {
            'user': 'username',
-            'pass': 'password'
+            'pass': 'abcdefgh'
        }
    });
 })();
@@ -81,9 +81,9 @@
 (function() {
    const MsRest = require('ms-rest-azure');

-    MsRest.loginWithUsernamePassword('username', 'password', function(){}); // NOT OK
+    MsRest.loginWithUsernamePassword('username', 'abcdefgh', function(){}); // NOT OK
    MsRest.loginWithUsernamePassword(process.env.AZURE_USER, process.env.AZURE_PASS, function(){}); // OK
-    MsRest.loginWithServicePrincipalSecret('username', 'password', function(){}); // NOT OK
+    MsRest.loginWithServicePrincipalSecret('username', 'abcdefgh', function(){}); // NOT OK
 })();

 (function() {
@@ -99,26 +99,26 @@
        keyId: 'x2',
        storageAccount: 'x3',
        username: 'x4',
-        key: 'y1',
-        apiKey: 'y2',
-        storageAccessKey: 'y3',
-        password: 'y4',
-        token: 'z1'
+        key: 'abcdefgh',
+        apiKey: 'abcdefgh',
+        storageAccessKey: 'abcdefgh',
+        password: 'abcdefgh',
+        token: 'abcdefgh'
    });
    pkgcloud.compute.createClient({ // OK
        INNOCENT_DATA: '42'
    });
    pkgcloud.providers.SOME_PROVIDER.compute.createClient({  // NOT OK
        username: 'x5',
-        password: 'y5'
+        password: 'abcdefgh'
    });
    pkgcloud.UNKNOWN_SERVICE.createClient({  // OK
        username: 'x6',
-        password: 'y6'
+        password: 'abcdefgh'
    });
    pkgcloud.providers.SOME_PROVIDER.UNKNOWN_SERVICE.createClient({  // OK
        username: 'x7',
-        password: 'y7'
+        password: 'abcdefgh'
    });
    pkgcloud.compute.createClient({ // OK
        username: process.env.USERNAME,
@@ -127,12 +127,12 @@
 })();

 (function(){
-    require('crypto').createHmac('sha256', 'crypto secret');
-    require("crypto-js/aes").encrypt('my message', 'crypto-js/aes secret');
+    require('crypto').createHmac('sha256', 'abcdefgh');
+    require("crypto-js/aes").encrypt('my message', 'abcdefgh');
 })()

 (function(){
-    require("cookie-session")({ secret: "cookie-session secret" });
+    require("cookie-session")({ secret: "abcdefgh" });
 })()

 (function(){
@@ -155,3 +155,11 @@
        }
    });
 })();
+
+(function(){
+	require("cookie-session")({ secret: "change_me" }); // NOT OK
+	require('crypto').createHmac('sha256', 'change_me'); // NOT OK
+
+	var basicAuth = require('express-basic-auth');
+	basicAuth({users: { [adminName]: 'change_me' }});  // OK
+})();