JavaScript: Extend suspiciousCredentials predicate to recognise authKey and similar.

2026-04-28 02:05:14 +02:00 · 2019-01-31 09:03:23 +00:00
parent 87e62f0bd5
commit b87abc9602
3 changed files with 6 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -40,7 +40,8 @@ module HeuristicNames {
  string suspiciousCredentials() {
    result = "(?i).*pass(wd|word|code|phrase)(?!.*question).*" or
    result = "(?i).*(puid|username|userid).*" or
-    result = "(?i).*(cert)(?!.*(format|name)).*"
+    result = "(?i).*(cert)(?!.*(format|name)).*" or
+    result = "(?i).*(auth(entication|ori[sz]ation)?)key.*"
  }
 }
 private import HeuristicNames