hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port CleartextLogging

Browse Source
This commit is contained in:
Asger F
2023-10-04 21:43:14 +02:00
parent a5c221fcfc
commit b8a6f81669
4 changed files with 215 additions and 304 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
View File

@@ -16,14 +16,20 @@ module CleartextLogging {
/** Gets a string that describes the type of this data flow source. */
abstract string describe();
abstract DataFlow::FlowLabel getLabel();
/**
* DEPRECATED. Overriding this predicate no longer has any effect.
*/
deprecated DataFlow::FlowLabel getLabel() { result.isTaint() }
}
/**
* A data flow sink for clear-text logging of sensitive information.
*/
abstract class Sink extends DataFlow::Node {
DataFlow::FlowLabel getLabel() { result.isTaint() }
/**
* DEPRECATED. Overriding this predicate no longer has any effect.
*/
deprecated DataFlow::FlowLabel getLabel() { result.isTaint() }
}
/**
@@ -103,29 +109,28 @@ module CleartextLogging {
abstract private class NonCleartextPassword extends DataFlow::Node { }
/**
* An object with a property that may contain password information
*
* This is a source since `console.log(obj)` will show the properties of `obj`.
* A value stored in a property that may contain password information
*/
private class ObjectPasswordPropertySource extends DataFlow::ValueNode, Source {
string name;
ObjectPasswordPropertySource() {
exists(DataFlow::PropWrite write |
write.getPropertyName() = name and
name.regexpMatch(maybePassword()) and
not name.regexpMatch(notSensitiveRegexp()) and
write = this.(DataFlow::SourceNode).getAPropertyWrite(name) and
this = write.getRhs() and
// avoid safe values assigned to presumably unsafe names
not write.getRhs() instanceof NonCleartextPassword
not this instanceof NonCleartextPassword
)
}
override string describe() { result = "an access to " + name }
override DataFlow::FlowLabel getLabel() { result.isTaint() }
}
/** An access to a variable or property that might contain a password. */
/**
* An access to a variable or property that might contain a password.
*/
private class ReadPasswordSource extends DataFlow::ValueNode, Source {
string name;
@@ -147,8 +152,6 @@ module CleartextLogging {
}
override string describe() { result = "an access to " + name }
override DataFlow::FlowLabel getLabel() { result.isTaint() }
}
/** A call that might return a password. */
@@ -161,8 +164,6 @@ module CleartextLogging {
}
override string describe() { result = "a call to " + name }
override DataFlow::FlowLabel getLabel() { result.isTaint() }
}
/** An access to the sensitive object `process.env`. */
@@ -170,8 +171,28 @@ module CleartextLogging {
ProcessEnvSource() { this = NodeJSLib::process().getAPropertyRead("env") }
override string describe() { result = "process environment" }
}
override DataFlow::FlowLabel getLabel() { result.isTaint() }
/** Gets a data flow node referring to `process.env`. */
private DataFlow::SourceNode processEnv(DataFlow::TypeTracker t) {
t.start() and
result instanceof ProcessEnvSource
or
exists(DataFlow::TypeTracker t2 | result = processEnv(t2).track(t2, t))
}
/** Gets a data flow node referring to `process.env`. */
DataFlow::SourceNode processEnv() { result = processEnv(DataFlow::TypeTracker::end()) }
/**
* A property access on `process.env`, seen as a barrier.
*/
private class SafeEnvironmentVariableBarrier extends Barrier instanceof DataFlow::PropRead {
SafeEnvironmentVariableBarrier() {
this = processEnv().getAPropertyRead() and
// If the name is known, it should not be sensitive
not nameIndicatesSensitiveData(this.getPropertyName(), _)
}
}
/**
@@ -183,26 +204,10 @@ module CleartextLogging {
succ.(DataFlow::PropRead).getBase() = pred
}
private class PropReadAsBarrier extends Barrier {
PropReadAsBarrier() {
this = any(DataFlow::PropRead read).getBase() and
// the 'foo' in 'foo.bar()' may have flow, we only want to suppress plain property reads
not this = any(DataFlow::MethodCallNode call).getReceiver() and
// do not block custom taint steps from this node
not isAdditionalTaintStep(this, _)
}
}
/**
* Holds if the edge `src` -> `trg` is an additional taint-step for clear-text logging of sensitive information.
*/
predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
// A taint propagating data flow edge through objects: a tainted write taints the entire object.
exists(DataFlow::PropWrite write |
write.getRhs() = src and
trg.(DataFlow::SourceNode).flowsTo(write.getBase())
)
or
// A property-copy step,
// dst[x] = src[x]
// dst[x] = JSON.stringify(src[x])
@@ -218,7 +223,7 @@ module CleartextLogging {
not exists(read.getPropertyName()) and
not isFilteredPropertyName(read.getPropertyNameExpr().flow().getALocalSource()) and
src = read.getBase() and
trg = write.getBase().getALocalSource()
trg = write.getBase().getPostUpdateNode()
)
or
// Taint through the arguments object.

33
javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll
View File

@@ -20,7 +20,38 @@ private import CleartextLoggingCustomizations::CleartextLogging as CleartextLogg
* added either by extending the relevant class, or by subclassing this configuration itself,
* and amending the sources and sinks.
*/
class Configuration extends TaintTracking::Configuration {
module CleartextLoggingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
predicate isBarrierIn(DataFlow::Node node) {
// We rely on heuristic sources, which tends to cause sources to overlap
isSource(node)
}
predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
CleartextLogging::isAdditionalTaintStep(src, trg)
}
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
// Assume all properties of a logged object are themselves logged.
contents = DataFlow::ContentSet::anyProperty() and
isSink(node)
}
}
/**
* Taint tracking flow for clear-text logging of sensitive information.
*/
module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;
/**
* DEPRECATED. Use the `CleartextLoggingFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CleartextLogging" }
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {

6
javascript/ql/src/Security/CWE-312/CleartextLogging.ql
View File

@@ -15,7 +15,7 @@
import javascript
import semmle.javascript.security.dataflow.CleartextLoggingQuery
import DataFlow::PathGraph
import CleartextLoggingFlow::PathGraph
/**
* Holds if `tl` is used in a browser environment.
@@ -33,9 +33,9 @@ predicate inBrowserEnvironment(TopLevel tl) {
)
}
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
from CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink
where
cfg.hasFlowPath(source, sink) and
CleartextLoggingFlow::flowPath(source, sink) and
// ignore logging to the browser console (even though it is not a good practice)
not inBrowserEnvironment(sink.getNode().asExpr().getTopLevel())
select sink.getNode(), source, sink, "This logs sensitive data returned by $@ as clear text.",

411
javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
View File

@@ -1,300 +1,175 @@
nodes
| passwords.js:2:17:2:24 | password |
| passwords.js:2:17:2:24 | password |
| passwords.js:2:17:2:24 | password |
| passwords.js:3:17:3:26 | o.password |
| passwords.js:3:17:3:26 | o.password |
| passwords.js:3:17:3:26 | o.password |
| passwords.js:4:17:4:29 | getPassword() |
| passwords.js:4:17:4:29 | getPassword() |
| passwords.js:4:17:4:29 | getPassword() |
| passwords.js:5:17:5:31 | o.getPassword() |
| passwords.js:5:17:5:31 | o.getPassword() |
| passwords.js:5:17:5:31 | o.getPassword() |
| passwords.js:7:20:7:20 | x |
| passwords.js:8:21:8:21 | x |
| passwords.js:8:21:8:21 | x |
| passwords.js:10:11:10:18 | password |
| passwords.js:10:11:10:18 | password |
| passwords.js:12:18:12:25 | password |
| passwords.js:12:18:12:25 | password |
| passwords.js:12:18:12:25 | password |
| passwords.js:14:17:14:38 | name + ... assword |
| passwords.js:14:17:14:38 | name + ... assword |
| passwords.js:14:31:14:38 | password |
| passwords.js:14:31:14:38 | password |
| passwords.js:16:17:16:38 | `${name ... sword}` |
| passwords.js:16:17:16:38 | `${name ... sword}` |
| passwords.js:16:29:16:36 | password |
| passwords.js:16:29:16:36 | password |
| passwords.js:18:9:20:5 | obj1 |
| passwords.js:18:16:20:5 | {\\n ... x\\n } |
| passwords.js:18:16:20:5 | {\\n ... x\\n } |
| passwords.js:21:17:21:20 | obj1 |
| passwords.js:21:17:21:20 | obj1 |
| passwords.js:23:9:25:5 | obj2 |
| passwords.js:23:16:25:5 | {\\n ... d\\n } |
| passwords.js:24:12:24:19 | password |
| passwords.js:24:12:24:19 | password |
| passwords.js:26:17:26:20 | obj2 |
| passwords.js:26:17:26:20 | obj2 |
| passwords.js:28:9:28:17 | obj3 |
| passwords.js:28:16:28:17 | {} |
| passwords.js:29:17:29:20 | obj3 |
| passwords.js:29:17:29:20 | obj3 |
| passwords.js:30:14:30:21 | password |
| passwords.js:30:14:30:21 | password |
| passwords.js:77:37:77:53 | req.body.password |
| passwords.js:77:37:77:53 | req.body.password |
| passwords.js:78:17:78:38 | temp.en ... assword |
| passwords.js:78:17:78:38 | temp.en ... assword |
| passwords.js:80:9:80:25 | secret |
| passwords.js:80:18:80:25 | password |
| passwords.js:80:18:80:25 | password |
| passwords.js:81:17:81:31 | `pw: ${secret}` |
| passwords.js:81:17:81:31 | `pw: ${secret}` |
| passwords.js:81:24:81:29 | secret |
| passwords.js:93:21:93:46 | "Passwo ... assword |
| passwords.js:93:21:93:46 | "Passwo ... assword |
| passwords.js:93:39:93:46 | password |
| passwords.js:93:39:93:46 | password |
| passwords.js:98:21:98:46 | "Passwo ... assword |
| passwords.js:98:21:98:46 | "Passwo ... assword |
| passwords.js:98:39:98:46 | password |
| passwords.js:98:39:98:46 | password |
| passwords.js:105:21:105:46 | "Passwo ... assword |
| passwords.js:105:21:105:46 | "Passwo ... assword |
| passwords.js:105:39:105:46 | password |
| passwords.js:105:39:105:46 | password |
| passwords.js:110:21:110:46 | "Passwo ... assword |
| passwords.js:110:21:110:46 | "Passwo ... assword |
| passwords.js:110:39:110:46 | password |
| passwords.js:110:39:110:46 | password |
| passwords.js:114:25:114:50 | "Passwo ... assword |
| passwords.js:114:25:114:50 | "Passwo ... assword |
| passwords.js:114:43:114:50 | password |
| passwords.js:114:43:114:50 | password |
| passwords.js:119:21:119:46 | "Passwo ... assword |
| passwords.js:119:21:119:46 | "Passwo ... assword |
| passwords.js:119:39:119:46 | password |
| passwords.js:119:39:119:46 | password |
| passwords.js:122:17:122:49 | name + ... tring() |
| passwords.js:122:17:122:49 | name + ... tring() |
| passwords.js:122:31:122:38 | password |
| passwords.js:122:31:122:38 | password |
| passwords.js:122:31:122:49 | password.toString() |
| passwords.js:123:17:123:48 | name + ... lueOf() |
| passwords.js:123:17:123:48 | name + ... lueOf() |
| passwords.js:123:31:123:38 | password |
| passwords.js:123:31:123:38 | password |
| passwords.js:123:31:123:48 | password.valueOf() |
| passwords.js:127:9:132:5 | config |
| passwords.js:127:18:132:5 | {\\n ... )\\n } |
| passwords.js:127:18:132:5 | {\\n ... )\\n } |
| passwords.js:130:12:130:19 | password |
| passwords.js:130:12:130:19 | password |
| passwords.js:131:12:131:24 | getPassword() |
| passwords.js:131:12:131:24 | getPassword() |
| passwords.js:135:17:135:22 | config |
| passwords.js:135:17:135:22 | config |
| passwords.js:136:17:136:24 | config.x |
| passwords.js:136:17:136:24 | config.x |
| passwords.js:137:17:137:24 | config.y |
| passwords.js:137:17:137:24 | config.y |
| passwords.js:142:26:142:34 | arguments |
| passwords.js:142:26:142:34 | arguments |
| passwords.js:147:12:147:19 | password |
| passwords.js:147:12:147:19 | password |
| passwords.js:149:21:149:28 | config.x |
| passwords.js:150:21:150:31 | process.env |
| passwords.js:150:21:150:31 | process.env |
| passwords.js:152:9:152:63 | procdesc |
| passwords.js:152:20:152:44 | Util.in ... ss.env) |
| passwords.js:152:20:152:63 | Util.in ... /g, '') |
| passwords.js:152:33:152:43 | process.env |
| passwords.js:152:33:152:43 | process.env |
| passwords.js:154:21:154:28 | procdesc |
| passwords.js:156:17:156:27 | process.env |
| passwords.js:156:17:156:27 | process.env |
| passwords.js:156:17:156:27 | process.env |
| passwords.js:163:14:163:21 | password |
| passwords.js:163:14:163:21 | password |
| passwords.js:163:14:163:41 | passwor ... g, "*") |
| passwords.js:163:14:163:41 | passwor ... g, "*") |
| passwords.js:164:14:164:21 | password |
| passwords.js:164:14:164:21 | password |
| passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password |
| passwords.js:169:17:169:24 | password |
| passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password |
| passwords.js:170:11:170:18 | password |
| passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:173:17:173:26 | myPassword |
| passwords.js:173:17:173:26 | myPassword |
| passwords.js:173:17:173:26 | myPassword |
| passwords.js:176:17:176:26 | myPasscode |
| passwords.js:176:17:176:26 | myPasscode |
| passwords.js:176:17:176:26 | myPasscode |
| passwords_in_browser1.js:2:13:2:20 | password |
| passwords_in_browser1.js:2:13:2:20 | password |
| passwords_in_browser1.js:2:13:2:20 | password |
| passwords_in_browser2.js:2:13:2:20 | password |
| passwords_in_browser2.js:2:13:2:20 | password |
| passwords_in_browser2.js:2:13:2:20 | password |
| passwords_in_server_1.js:6:13:6:20 | password |
| passwords_in_server_1.js:6:13:6:20 | password |
| passwords_in_server_1.js:6:13:6:20 | password |
| passwords_in_server_2.js:3:13:3:20 | password |
| passwords_in_server_2.js:3:13:3:20 | password |
| passwords_in_server_2.js:3:13:3:20 | password |
| passwords_in_server_3.js:2:13:2:20 | password |
| passwords_in_server_3.js:2:13:2:20 | password |
| passwords_in_server_3.js:2:13:2:20 | password |
| passwords_in_server_4.js:2:13:2:20 | password |
| passwords_in_server_4.js:2:13:2:20 | password |
| passwords_in_server_4.js:2:13:2:20 | password |
| passwords_in_server_5.js:4:7:4:24 | req.query.password |
| passwords_in_server_5.js:4:7:4:24 | req.query.password |
| passwords_in_server_5.js:7:12:7:12 | x |
| passwords_in_server_5.js:8:17:8:17 | x |
| passwords_in_server_5.js:8:17:8:17 | x |
edges
| passwords.js:2:17:2:24 | password | passwords.js:2:17:2:24 | password |
| passwords.js:3:17:3:26 | o.password | passwords.js:3:17:3:26 | o.password |
| passwords.js:4:17:4:29 | getPassword() | passwords.js:4:17:4:29 | getPassword() |
| passwords.js:5:17:5:31 | o.getPassword() | passwords.js:5:17:5:31 | o.getPassword() |
| passwords.js:7:20:7:20 | x | passwords.js:8:21:8:21 | x |
| passwords.js:7:20:7:20 | x | passwords.js:8:21:8:21 | x |
| passwords.js:10:11:10:18 | password | passwords.js:7:20:7:20 | x |
| passwords.js:10:11:10:18 | password | passwords.js:7:20:7:20 | x |
| passwords.js:12:18:12:25 | password | passwords.js:12:18:12:25 | password |
| passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword |
| passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword |
| passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword |
| passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword |
| passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` |
| passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` |
| passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` |
| passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` |
| passwords.js:18:9:20:5 | obj1 | passwords.js:21:17:21:20 | obj1 |
| passwords.js:18:9:20:5 | obj1 | passwords.js:21:17:21:20 | obj1 |
| passwords.js:18:16:20:5 | {\\n ... x\\n } | passwords.js:18:9:20:5 | obj1 |
| passwords.js:18:16:20:5 | {\\n ... x\\n } | passwords.js:18:9:20:5 | obj1 |
| passwords.js:23:9:25:5 | obj2 | passwords.js:26:17:26:20 | obj2 |
| passwords.js:23:9:25:5 | obj2 | passwords.js:26:17:26:20 | obj2 |
| passwords.js:23:16:25:5 | {\\n ... d\\n } | passwords.js:23:9:25:5 | obj2 |
| passwords.js:24:12:24:19 | password | passwords.js:23:16:25:5 | {\\n ... d\\n } |
| passwords.js:24:12:24:19 | password | passwords.js:23:16:25:5 | {\\n ... d\\n } |
| passwords.js:28:9:28:17 | obj3 | passwords.js:29:17:29:20 | obj3 |
| passwords.js:28:9:28:17 | obj3 | passwords.js:29:17:29:20 | obj3 |
| passwords.js:28:16:28:17 | {} | passwords.js:28:9:28:17 | obj3 |
| passwords.js:30:14:30:21 | password | passwords.js:28:16:28:17 | {} |
| passwords.js:30:14:30:21 | password | passwords.js:28:16:28:17 | {} |
| passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword |
| passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword |
| passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword |
| passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword |
| passwords.js:18:9:20:5 | obj1 [password] | passwords.js:21:17:21:20 | obj1 [password] |
| passwords.js:18:16:20:5 | {\\n ... x\\n } [password] | passwords.js:18:9:20:5 | obj1 [password] |
| passwords.js:19:19:19:19 | x | passwords.js:18:16:20:5 | {\\n ... x\\n } [password] |
| passwords.js:21:17:21:20 | obj1 [password] | passwords.js:21:17:21:20 | obj1 |
| passwords.js:23:9:25:5 | obj2 [x] | passwords.js:26:17:26:20 | obj2 [x] |
| passwords.js:23:16:25:5 | {\\n ... d\\n } [x] | passwords.js:23:9:25:5 | obj2 [x] |
| passwords.js:24:12:24:19 | password | passwords.js:23:16:25:5 | {\\n ... d\\n } [x] |
| passwords.js:26:17:26:20 | obj2 [x] | passwords.js:26:17:26:20 | obj2 |
| passwords.js:28:9:28:17 | obj3 [x] | passwords.js:29:17:29:20 | obj3 [x] |
| passwords.js:29:17:29:20 | obj3 [x] | passwords.js:29:17:29:20 | obj3 |
| passwords.js:30:5:30:8 | [post update] obj3 [x] | passwords.js:28:9:28:17 | obj3 [x] |
| passwords.js:30:14:30:21 | password | passwords.js:30:5:30:8 | [post update] obj3 [x] |
| passwords.js:77:9:77:55 | temp [encryptedPassword] | passwords.js:78:17:78:20 | temp [encryptedPassword] |
| passwords.js:77:16:77:55 | { encry ... sword } [encryptedPassword] | passwords.js:77:9:77:55 | temp [encryptedPassword] |
| passwords.js:77:37:77:53 | req.body.password | passwords.js:77:16:77:55 | { encry ... sword } [encryptedPassword] |
| passwords.js:78:17:78:20 | temp [encryptedPassword] | passwords.js:78:17:78:38 | temp.en ... assword |
| passwords.js:80:9:80:25 | secret | passwords.js:81:24:81:29 | secret |
| passwords.js:80:18:80:25 | password | passwords.js:80:9:80:25 | secret |
| passwords.js:80:18:80:25 | password | passwords.js:80:9:80:25 | secret |
| passwords.js:81:24:81:29 | secret | passwords.js:81:17:81:31 | `pw: ${secret}` |
| passwords.js:81:24:81:29 | secret | passwords.js:81:17:81:31 | `pw: ${secret}` |
| passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword |
| passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword |
| passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword |
| passwords.js:93:39:93:46 | password | passwords.js:93:21:93:46 | "Passwo ... assword |
| passwords.js:98:39:98:46 | password | passwords.js:98:21:98:46 | "Passwo ... assword |
| passwords.js:98:39:98:46 | password | passwords.js:98:21:98:46 | "Passwo ... assword |
| passwords.js:98:39:98:46 | password | passwords.js:98:21:98:46 | "Passwo ... assword |
| passwords.js:98:39:98:46 | password | passwords.js:98:21:98:46 | "Passwo ... assword |
| passwords.js:105:39:105:46 | password | passwords.js:105:21:105:46 | "Passwo ... assword |
| passwords.js:105:39:105:46 | password | passwords.js:105:21:105:46 | "Passwo ... assword |
| passwords.js:105:39:105:46 | password | passwords.js:105:21:105:46 | "Passwo ... assword |
| passwords.js:105:39:105:46 | password | passwords.js:105:21:105:46 | "Passwo ... assword |
| passwords.js:110:39:110:46 | password | passwords.js:110:21:110:46 | "Passwo ... assword |
| passwords.js:110:39:110:46 | password | passwords.js:110:21:110:46 | "Passwo ... assword |
| passwords.js:110:39:110:46 | password | passwords.js:110:21:110:46 | "Passwo ... assword |
| passwords.js:110:39:110:46 | password | passwords.js:110:21:110:46 | "Passwo ... assword |
| passwords.js:114:43:114:50 | password | passwords.js:114:25:114:50 | "Passwo ... assword |
| passwords.js:114:43:114:50 | password | passwords.js:114:25:114:50 | "Passwo ... assword |
| passwords.js:114:43:114:50 | password | passwords.js:114:25:114:50 | "Passwo ... assword |
| passwords.js:114:43:114:50 | password | passwords.js:114:25:114:50 | "Passwo ... assword |
| passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword |
| passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword |
| passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword |
| passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword |
| passwords.js:122:31:122:38 | password | passwords.js:122:31:122:49 | password.toString() |
| passwords.js:122:31:122:38 | password | passwords.js:122:31:122:49 | password.toString() |
| passwords.js:122:31:122:49 | password.toString() | passwords.js:122:17:122:49 | name + ... tring() |
| passwords.js:122:31:122:49 | password.toString() | passwords.js:122:17:122:49 | name + ... tring() |
| passwords.js:123:31:123:38 | password | passwords.js:123:31:123:48 | password.valueOf() |
| passwords.js:123:31:123:38 | password | passwords.js:123:31:123:48 | password.valueOf() |
| passwords.js:123:31:123:48 | password.valueOf() | passwords.js:123:17:123:48 | name + ... lueOf() |
| passwords.js:123:31:123:48 | password.valueOf() | passwords.js:123:17:123:48 | name + ... lueOf() |
| passwords.js:127:9:132:5 | config | passwords.js:135:17:135:22 | config |
| passwords.js:127:9:132:5 | config | passwords.js:135:17:135:22 | config |
| passwords.js:127:18:132:5 | {\\n ... )\\n } | passwords.js:127:9:132:5 | config |
| passwords.js:127:18:132:5 | {\\n ... )\\n } | passwords.js:127:9:132:5 | config |
| passwords.js:130:12:130:19 | password | passwords.js:127:18:132:5 | {\\n ... )\\n } |
| passwords.js:130:12:130:19 | password | passwords.js:127:18:132:5 | {\\n ... )\\n } |
| passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x |
| passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x |
| passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x |
| passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x |
| passwords.js:131:12:131:24 | getPassword() | passwords.js:127:18:132:5 | {\\n ... )\\n } |
| passwords.js:131:12:131:24 | getPassword() | passwords.js:127:18:132:5 | {\\n ... )\\n } |
| passwords.js:131:12:131:24 | getPassword() | passwords.js:137:17:137:24 | config.y |
| passwords.js:131:12:131:24 | getPassword() | passwords.js:137:17:137:24 | config.y |
| passwords.js:131:12:131:24 | getPassword() | passwords.js:137:17:137:24 | config.y |
| passwords.js:131:12:131:24 | getPassword() | passwords.js:137:17:137:24 | config.y |
| passwords.js:147:12:147:19 | password | passwords.js:149:21:149:28 | config.x |
| passwords.js:147:12:147:19 | password | passwords.js:149:21:149:28 | config.x |
| passwords.js:127:9:132:5 | config [password] | passwords.js:135:17:135:22 | config [password] |
| passwords.js:127:9:132:5 | config [x] | passwords.js:135:17:135:22 | config [x] |
| passwords.js:127:9:132:5 | config [x] | passwords.js:136:17:136:22 | config [x] |
| passwords.js:127:9:132:5 | config [y] | passwords.js:135:17:135:22 | config [y] |
| passwords.js:127:9:132:5 | config [y] | passwords.js:137:17:137:22 | config [y] |
| passwords.js:127:18:132:5 | {\\n ... )\\n } [password] | passwords.js:127:9:132:5 | config [password] |
| passwords.js:127:18:132:5 | {\\n ... )\\n } [x] | passwords.js:127:9:132:5 | config [x] |
| passwords.js:127:18:132:5 | {\\n ... )\\n } [y] | passwords.js:127:9:132:5 | config [y] |
| passwords.js:128:19:128:19 | x | passwords.js:127:18:132:5 | {\\n ... )\\n } [password] |
| passwords.js:130:12:130:19 | password | passwords.js:127:18:132:5 | {\\n ... )\\n } [x] |
| passwords.js:131:12:131:24 | getPassword() | passwords.js:127:18:132:5 | {\\n ... )\\n } [y] |
| passwords.js:135:17:135:22 | config [password] | passwords.js:135:17:135:22 | config |
| passwords.js:135:17:135:22 | config [x] | passwords.js:135:17:135:22 | config |
| passwords.js:135:17:135:22 | config [y] | passwords.js:135:17:135:22 | config |
| passwords.js:136:17:136:22 | config [x] | passwords.js:136:17:136:24 | config.x |
| passwords.js:137:17:137:22 | config [y] | passwords.js:137:17:137:24 | config.y |
| passwords.js:146:9:148:5 | config [x] | passwords.js:149:21:149:26 | config [x] |
| passwords.js:146:18:148:5 | {\\n ... d\\n } [x] | passwords.js:146:9:148:5 | config [x] |
| passwords.js:147:12:147:19 | password | passwords.js:146:18:148:5 | {\\n ... d\\n } [x] |
| passwords.js:149:21:149:26 | config [x] | passwords.js:149:21:149:28 | config.x |
| passwords.js:149:21:149:28 | config.x | passwords.js:142:26:142:34 | arguments |
| passwords.js:149:21:149:28 | config.x | passwords.js:142:26:142:34 | arguments |
| passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments |
| passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments |
| passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments |
| passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments |
| passwords.js:152:9:152:63 | procdesc | passwords.js:154:21:154:28 | procdesc |
| passwords.js:152:20:152:44 | Util.in ... ss.env) | passwords.js:152:20:152:63 | Util.in ... /g, '') |
| passwords.js:152:20:152:63 | Util.in ... /g, '') | passwords.js:152:9:152:63 | procdesc |
| passwords.js:152:33:152:43 | process.env | passwords.js:152:20:152:44 | Util.in ... ss.env) |
| passwords.js:152:33:152:43 | process.env | passwords.js:152:20:152:44 | Util.in ... ss.env) |
| passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
| passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
| passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env |
| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:173:17:173:26 | myPassword | passwords.js:173:17:173:26 | myPassword |
| passwords.js:176:17:176:26 | myPasscode | passwords.js:176:17:176:26 | myPasscode |
| passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
| passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
| passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password |
| passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password |
| passwords_in_server_4.js:2:13:2:20 | password | passwords_in_server_4.js:2:13:2:20 | password |
| passwords_in_server_5.js:4:7:4:24 | req.query.password | passwords_in_server_5.js:7:12:7:12 | x |
| passwords_in_server_5.js:4:7:4:24 | req.query.password | passwords_in_server_5.js:7:12:7:12 | x |
| passwords_in_server_5.js:7:12:7:12 | x | passwords_in_server_5.js:8:17:8:17 | x |
| passwords_in_server_5.js:7:12:7:12 | x | passwords_in_server_5.js:8:17:8:17 | x |
nodes
| passwords.js:2:17:2:24 | password | semmle.label | password |
| passwords.js:3:17:3:26 | o.password | semmle.label | o.password |
| passwords.js:4:17:4:29 | getPassword() | semmle.label | getPassword() |
| passwords.js:5:17:5:31 | o.getPassword() | semmle.label | o.getPassword() |
| passwords.js:7:20:7:20 | x | semmle.label | x |
| passwords.js:8:21:8:21 | x | semmle.label | x |
| passwords.js:10:11:10:18 | password | semmle.label | password |
| passwords.js:12:18:12:25 | password | semmle.label | password |
| passwords.js:14:17:14:38 | name + ... assword | semmle.label | name + ... assword |
| passwords.js:14:31:14:38 | password | semmle.label | password |
| passwords.js:16:17:16:38 | `${name ... sword}` | semmle.label | `${name ... sword}` |
| passwords.js:16:29:16:36 | password | semmle.label | password |
| passwords.js:18:9:20:5 | obj1 [password] | semmle.label | obj1 [password] |
| passwords.js:18:16:20:5 | {\\n ... x\\n } [password] | semmle.label | {\\n ... x\\n } [password] |
| passwords.js:19:19:19:19 | x | semmle.label | x |
| passwords.js:21:17:21:20 | obj1 | semmle.label | obj1 |
| passwords.js:21:17:21:20 | obj1 [password] | semmle.label | obj1 [password] |
| passwords.js:23:9:25:5 | obj2 [x] | semmle.label | obj2 [x] |
| passwords.js:23:16:25:5 | {\\n ... d\\n } [x] | semmle.label | {\\n ... d\\n } [x] |
| passwords.js:24:12:24:19 | password | semmle.label | password |
| passwords.js:26:17:26:20 | obj2 | semmle.label | obj2 |
| passwords.js:26:17:26:20 | obj2 [x] | semmle.label | obj2 [x] |
| passwords.js:28:9:28:17 | obj3 [x] | semmle.label | obj3 [x] |
| passwords.js:29:17:29:20 | obj3 | semmle.label | obj3 |
| passwords.js:29:17:29:20 | obj3 [x] | semmle.label | obj3 [x] |
| passwords.js:30:5:30:8 | [post update] obj3 [x] | semmle.label | [post update] obj3 [x] |
| passwords.js:30:14:30:21 | password | semmle.label | password |
| passwords.js:77:9:77:55 | temp [encryptedPassword] | semmle.label | temp [encryptedPassword] |
| passwords.js:77:16:77:55 | { encry ... sword } [encryptedPassword] | semmle.label | { encry ... sword } [encryptedPassword] |
| passwords.js:77:37:77:53 | req.body.password | semmle.label | req.body.password |
| passwords.js:78:17:78:20 | temp [encryptedPassword] | semmle.label | temp [encryptedPassword] |
| passwords.js:78:17:78:38 | temp.en ... assword | semmle.label | temp.en ... assword |
| passwords.js:80:9:80:25 | secret | semmle.label | secret |
| passwords.js:80:18:80:25 | password | semmle.label | password |
| passwords.js:81:17:81:31 | `pw: ${secret}` | semmle.label | `pw: ${secret}` |
| passwords.js:81:24:81:29 | secret | semmle.label | secret |
| passwords.js:93:21:93:46 | "Passwo ... assword | semmle.label | "Passwo ... assword |
| passwords.js:93:39:93:46 | password | semmle.label | password |
| passwords.js:98:21:98:46 | "Passwo ... assword | semmle.label | "Passwo ... assword |
| passwords.js:98:39:98:46 | password | semmle.label | password |
| passwords.js:105:21:105:46 | "Passwo ... assword | semmle.label | "Passwo ... assword |
| passwords.js:105:39:105:46 | password | semmle.label | password |
| passwords.js:110:21:110:46 | "Passwo ... assword | semmle.label | "Passwo ... assword |
| passwords.js:110:39:110:46 | password | semmle.label | password |
| passwords.js:114:25:114:50 | "Passwo ... assword | semmle.label | "Passwo ... assword |
| passwords.js:114:43:114:50 | password | semmle.label | password |
| passwords.js:119:21:119:46 | "Passwo ... assword | semmle.label | "Passwo ... assword |
| passwords.js:119:39:119:46 | password | semmle.label | password |
| passwords.js:122:17:122:49 | name + ... tring() | semmle.label | name + ... tring() |
| passwords.js:122:31:122:38 | password | semmle.label | password |
| passwords.js:122:31:122:49 | password.toString() | semmle.label | password.toString() |
| passwords.js:123:17:123:48 | name + ... lueOf() | semmle.label | name + ... lueOf() |
| passwords.js:123:31:123:38 | password | semmle.label | password |
| passwords.js:123:31:123:48 | password.valueOf() | semmle.label | password.valueOf() |
| passwords.js:127:9:132:5 | config [password] | semmle.label | config [password] |
| passwords.js:127:9:132:5 | config [x] | semmle.label | config [x] |
| passwords.js:127:9:132:5 | config [y] | semmle.label | config [y] |
| passwords.js:127:18:132:5 | {\\n ... )\\n } [password] | semmle.label | {\\n ... )\\n } [password] |
| passwords.js:127:18:132:5 | {\\n ... )\\n } [x] | semmle.label | {\\n ... )\\n } [x] |
| passwords.js:127:18:132:5 | {\\n ... )\\n } [y] | semmle.label | {\\n ... )\\n } [y] |
| passwords.js:128:19:128:19 | x | semmle.label | x |
| passwords.js:130:12:130:19 | password | semmle.label | password |
| passwords.js:131:12:131:24 | getPassword() | semmle.label | getPassword() |
| passwords.js:135:17:135:22 | config | semmle.label | config |
| passwords.js:135:17:135:22 | config [password] | semmle.label | config [password] |
| passwords.js:135:17:135:22 | config [x] | semmle.label | config [x] |
| passwords.js:135:17:135:22 | config [y] | semmle.label | config [y] |
| passwords.js:136:17:136:22 | config [x] | semmle.label | config [x] |
| passwords.js:136:17:136:24 | config.x | semmle.label | config.x |
| passwords.js:137:17:137:22 | config [y] | semmle.label | config [y] |
| passwords.js:137:17:137:24 | config.y | semmle.label | config.y |
| passwords.js:142:26:142:34 | arguments | semmle.label | arguments |
| passwords.js:146:9:148:5 | config [x] | semmle.label | config [x] |
| passwords.js:146:18:148:5 | {\\n ... d\\n } [x] | semmle.label | {\\n ... d\\n } [x] |
| passwords.js:147:12:147:19 | password | semmle.label | password |
| passwords.js:149:21:149:26 | config [x] | semmle.label | config [x] |
| passwords.js:149:21:149:28 | config.x | semmle.label | config.x |
| passwords.js:150:21:150:31 | process.env | semmle.label | process.env |
| passwords.js:152:9:152:63 | procdesc | semmle.label | procdesc |
| passwords.js:152:20:152:44 | Util.in ... ss.env) | semmle.label | Util.in ... ss.env) |
| passwords.js:152:20:152:63 | Util.in ... /g, '') | semmle.label | Util.in ... /g, '') |
| passwords.js:152:33:152:43 | process.env | semmle.label | process.env |
| passwords.js:154:21:154:28 | procdesc | semmle.label | procdesc |
| passwords.js:156:17:156:27 | process.env | semmle.label | process.env |
| passwords.js:163:14:163:21 | password | semmle.label | password |
| passwords.js:163:14:163:41 | passwor ... g, "*") | semmle.label | passwor ... g, "*") |
| passwords.js:164:14:164:21 | password | semmle.label | password |
| passwords.js:164:14:164:42 | passwor ... g, "*") | semmle.label | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | semmle.label | password |
| passwords.js:169:17:169:45 | passwor ... g, "*") | semmle.label | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | semmle.label | password |
| passwords.js:170:11:170:39 | passwor ... g, "*") | semmle.label | passwor ... g, "*") |
| passwords.js:173:17:173:26 | myPassword | semmle.label | myPassword |
| passwords.js:176:17:176:26 | myPasscode | semmle.label | myPasscode |
| passwords_in_browser1.js:2:13:2:20 | password | semmle.label | password |
| passwords_in_browser2.js:2:13:2:20 | password | semmle.label | password |
| passwords_in_server_1.js:6:13:6:20 | password | semmle.label | password |
| passwords_in_server_2.js:3:13:3:20 | password | semmle.label | password |
| passwords_in_server_3.js:2:13:2:20 | password | semmle.label | password |
| passwords_in_server_4.js:2:13:2:20 | password | semmle.label | password |
| passwords_in_server_5.js:4:7:4:24 | req.query.password | semmle.label | req.query.password |
| passwords_in_server_5.js:7:12:7:12 | x | semmle.label | x |
| passwords_in_server_5.js:8:17:8:17 | x | semmle.label | x |
subpaths
#select
| passwords.js:2:17:2:24 | password | passwords.js:2:17:2:24 | password | passwords.js:2:17:2:24 | password | This logs sensitive data returned by $@ as clear text. | passwords.js:2:17:2:24 | password | an access to password |
| passwords.js:3:17:3:26 | o.password | passwords.js:3:17:3:26 | o.password | passwords.js:3:17:3:26 | o.password | This logs sensitive data returned by $@ as clear text. | passwords.js:3:17:3:26 | o.password | an access to password |
@@ -304,7 +179,7 @@ edges
| passwords.js:12:18:12:25 | password | passwords.js:12:18:12:25 | password | passwords.js:12:18:12:25 | password | This logs sensitive data returned by $@ as clear text. | passwords.js:12:18:12:25 | password | an access to password |
| passwords.js:14:17:14:38 | name + ... assword | passwords.js:14:31:14:38 | password | passwords.js:14:17:14:38 | name + ... assword | This logs sensitive data returned by $@ as clear text. | passwords.js:14:31:14:38 | password | an access to password |
| passwords.js:16:17:16:38 | `${name ... sword}` | passwords.js:16:29:16:36 | password | passwords.js:16:17:16:38 | `${name ... sword}` | This logs sensitive data returned by $@ as clear text. | passwords.js:16:29:16:36 | password | an access to password |
| passwords.js:21:17:21:20 | obj1 | passwords.js:18:16:20:5 | {\\n ... x\\n } | passwords.js:21:17:21:20 | obj1 | This logs sensitive data returned by $@ as clear text. | passwords.js:18:16:20:5 | {\\n ... x\\n } | an access to password |
| passwords.js:21:17:21:20 | obj1 | passwords.js:19:19:19:19 | x | passwords.js:21:17:21:20 | obj1 | This logs sensitive data returned by $@ as clear text. | passwords.js:19:19:19:19 | x | an access to password |
| passwords.js:26:17:26:20 | obj2 | passwords.js:24:12:24:19 | password | passwords.js:26:17:26:20 | obj2 | This logs sensitive data returned by $@ as clear text. | passwords.js:24:12:24:19 | password | an access to password |
| passwords.js:29:17:29:20 | obj3 | passwords.js:30:14:30:21 | password | passwords.js:29:17:29:20 | obj3 | This logs sensitive data returned by $@ as clear text. | passwords.js:30:14:30:21 | password | an access to password |
| passwords.js:78:17:78:38 | temp.en ... assword | passwords.js:77:37:77:53 | req.body.password | passwords.js:78:17:78:38 | temp.en ... assword | This logs sensitive data returned by $@ as clear text. | passwords.js:77:37:77:53 | req.body.password | an access to password |
@@ -317,7 +192,7 @@ edges
| passwords.js:119:21:119:46 | "Passwo ... assword | passwords.js:119:39:119:46 | password | passwords.js:119:21:119:46 | "Passwo ... assword | This logs sensitive data returned by $@ as clear text. | passwords.js:119:39:119:46 | password | an access to password |
| passwords.js:122:17:122:49 | name + ... tring() | passwords.js:122:31:122:38 | password | passwords.js:122:17:122:49 | name + ... tring() | This logs sensitive data returned by $@ as clear text. | passwords.js:122:31:122:38 | password | an access to password |
| passwords.js:123:17:123:48 | name + ... lueOf() | passwords.js:123:31:123:38 | password | passwords.js:123:17:123:48 | name + ... lueOf() | This logs sensitive data returned by $@ as clear text. | passwords.js:123:31:123:38 | password | an access to password |
| passwords.js:135:17:135:22 | config | passwords.js:127:18:132:5 | {\\n ... )\\n } | passwords.js:135:17:135:22 | config | This logs sensitive data returned by $@ as clear text. | passwords.js:127:18:132:5 | {\\n ... )\\n } | an access to password |
| passwords.js:135:17:135:22 | config | passwords.js:128:19:128:19 | x | passwords.js:135:17:135:22 | config | This logs sensitive data returned by $@ as clear text. | passwords.js:128:19:128:19 | x | an access to password |
| passwords.js:135:17:135:22 | config | passwords.js:130:12:130:19 | password | passwords.js:135:17:135:22 | config | This logs sensitive data returned by $@ as clear text. | passwords.js:130:12:130:19 | password | an access to password |
| passwords.js:135:17:135:22 | config | passwords.js:131:12:131:24 | getPassword() | passwords.js:135:17:135:22 | config | This logs sensitive data returned by $@ as clear text. | passwords.js:131:12:131:24 | getPassword() | a call to getPassword |
| passwords.js:136:17:136:24 | config.x | passwords.js:130:12:130:19 | password | passwords.js:136:17:136:24 | config.x | This logs sensitive data returned by $@ as clear text. | passwords.js:130:12:130:19 | password | an access to password |