hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

add fetch.Headers.Authorization as a CredentialsExpr

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-06-02 23:02:16 +02:00
parent 14f0d1687a
commit b6dc94fccb
3 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View File

@@ -162,6 +162,11 @@ nodes
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:170:11:170:25 | PASS |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' |
| HardcodedCredentials.js:175:30:175:33 | PASS |
| HardcodedCredentials.js:175:30:175:33 | PASS |
edges
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -220,6 +225,10 @@ edges
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:170:11:170:25 | PASS | HardcodedCredentials.js:175:30:175:33 | PASS |
| HardcodedCredentials.js:170:11:170:25 | PASS | HardcodedCredentials.js:175:30:175:33 | PASS |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:11:170:25 | PASS |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:11:170:25 | PASS |
#select
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
@@ -274,3 +283,4 @@ edges
| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | key |
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:175:30:175:33 | PASS | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:175:30:175:33 | PASS | authorization headers |

14
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View File

@@ -163,3 +163,17 @@
var basicAuth = require('express-basic-auth');
basicAuth({users: { [adminName]: 'change_me' }}); // OK
})();
(async function () {
const fetch = require("node-fetch");
const PASS = 'sdsdag';
const rsp = await fetch(ENDPOINT, {
method: 'get',
headers: new fetch.Headers({
'Authorization': PASS,
'Content-Type': 'application/json'
})
});
});