JavaScript: Further broaden the whitelist in PasswordInConfigurationFile.

2026-04-29 10:45:15 +02:00 · 2019-05-09 17:07:59 +01:00
parent c16e9a77f3
commit b478c0ddaa
2 changed files with 2 additions and 1 deletions
--- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
+++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -54,7 +54,7 @@ where
  (
    key.toLowerCase() = "password" and
    // exclude interpolations of environment variables
-    not val.regexpMatch("\\$\\w+|\\$[{(].+[)}]|%.*%")
+    not val.regexpMatch("\\$.*|%.*%")
    or
    key.toLowerCase() != "readme" and
    // look for `password=...`, but exclude `password=;`, `password="$(...)"`,
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
@@ -0,0 +1 @@
+password: $$SOME_VAR