Update hardcodedCredentials query file to only exclude 'jwt key' kind from with the isTestFile predicate.

According to expected test results, with a new query, the jwt sinks of __test__/ dir have been exluded from query results.
2026-04-26 01:05:15 +02:00 · 2024-07-01 14:59:23 +02:00
parent 5a1877547f
commit b360c8adb8
2 changed files with 38 additions and 18 deletions
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -21,27 +21,45 @@ import semmle.javascript.filters.ClassifyFiles
 bindingset[s]
 predicate looksLikeATemplate(string s) { s.regexpMatch(".*((\\{\\{.*\\}\\})|(<.*>)|(\\(.*\\))).*") }

+predicate updateMessageWithSourceValue(string value, DataFlow::Node source, DataFlow::Node sink) {
+  exists(string val | val = source.getStringValue() |
+    // exclude dummy passwords and templates
+    not (
+      sink.(Sink).(DefaultCredentialsSink).getKind() = ["password", "credentials", "token", "key"] and
+      PasswordHeuristics::isDummyPassword(val)
+      or
+      sink.(Sink).getKind() = "authorization header" and
+      PasswordHeuristics::isDummyAuthHeader(val)
+      or
+      looksLikeATemplate(val)
+    ) and
+    value = "The hard-coded value \"" + val + "\""
+  )
+}
+
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
 where
  cfg.hasFlowPath(source, sink) and
-  not isTestFile(sink.getNode().getFile()) and
-  // use source value in message if it's available
-  if source.getNode().asExpr() instanceof ConstantString
+  // sink kind is "jwt key" and source is constant string
+  if
+    sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
+    // use source value in message if it's available
+    source.getNode().asExpr() instanceof ConstantString
  then
-    exists(string val | val = source.getNode().getStringValue() |
-      // exclude dummy passwords and templates
-      not (
-        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() =
-          ["password", "credentials", "token", "key"] and
-        PasswordHeuristics::isDummyPassword(val)
-        or
-        sink.getNode().(Sink).getKind() = "authorization header" and
-        PasswordHeuristics::isDummyAuthHeader(val)
-        or
-        looksLikeATemplate(val)
-      ) and
-      value = "The hard-coded value \"" + val + "\""
-    )
-  else value = "This hard-coded value"
+    not isTestFile(sink.getNode().getFile()) and
+    updateMessageWithSourceValue(value, source.getNode(), sink.getNode())
+  else
+    // sink kind is "jwt key" and source is not constant string
+    if
+      sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
+      not source.getNode().asExpr() instanceof ConstantString
+    then not isTestFile(sink.getNode().getFile()) and value = "This hard-coded value"
+    else
+      // sink kind is not "jwt key" and source is  constant string
+      if
+        not sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
+        source.getNode().asExpr() instanceof ConstantString
+      then updateMessageWithSourceValue(value, source.getNode(), sink.getNode())
+      else value = "This hard-coded value"
 select source.getNode(), source, sink, value + " is used as $@.", sink.getNode(),
  sink.getNode().(Sink).getKind()
--- a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -615,3 +615,5 @@ edges
 | HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:375:21:375:43 | "myHard ... ateKey" | HardcodedCredentials.js:385:31:385:39 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:385:31:385:39 | secretKey | jwt key |
 | HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:399:17:399:25 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:399:17:399:25 | secretKey | jwt key |
 | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:416:27:416:35 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:416:27:416:35 | secretKey | jwt key |
+| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | user name |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | password |