JavaScript: Fix a few false positives in PasswordInConfigurationFile.

2026-04-30 03:05:15 +02:00 · 2019-05-07 17:41:02 +01:00
parent d23c48330c
commit c16e9a77f3
12 changed files with 39 additions and 6 deletions
--- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
+++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -35,10 +35,14 @@ predicate config(string key, string val, Locatable valElement) {

 /**
 * Holds if file `f` should be excluded because it looks like it may be
- * a dictionary file, or a test or example.
+ * an API specification, a dictionary file, or a test or example.
 */
 predicate exclude(File f) {
-  f.getRelativePath().regexpMatch(".*(^|/)(lang(uage)?s?|locales?|tests?|examples?)/.*")
+  f.getRelativePath().regexpMatch("(?i).*(^|/)(lang(uage)?s?|locales?|tests?|examples?|i18n)/.*")
+  or
+  f.getStem().regexpMatch("(?i)translations?")
+  or
+  f.getExtension().toLowerCase() = "raml"
 }

 from string key, string val, Locatable valElement
@@ -48,11 +52,14 @@ where
  // exclude possible templates
  not val.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
  (
-    key.toLowerCase() = "password"
+    key.toLowerCase() = "password" and
+    // exclude interpolations of environment variables
+    not val.regexpMatch("\\$\\w+|\\$[{(].+[)}]|%.*%")
    or
    key.toLowerCase() != "readme" and
-    // look for `password=...`, but exclude `password=;` and `password="$(...)"`
-    val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`]).*")
+    // look for `password=...`, but exclude `password=;`, `password="$(...)"`,
+    // `password=%s` and `password==`
+    val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`])(?!%s)(?!=).*")
  ) and
  not exclude(valElement.getFile())
 select valElement, "Avoid plaintext passwords in configuration files."
--- a/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
@@ -1 +1,2 @@
 | mysql-config.json:4:16:4:23 | "secret" | Avoid plaintext passwords in configuration files. |
+| tst4.json:2:10:2:38 | "script ... ecret'" | Avoid plaintext passwords in configuration files. |
--- a/javascript/ql/test/query-tests/Security/CWE-313/i18n/de.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/i18n/de.json
@@ -0,0 +1,3 @@
+{
+  "password": "Passwort"
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/locales/de.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/locales/de.json
@@ -0,0 +1,3 @@
+{
+  "password": "Passwort"
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst.raml
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst.raml
@@ -0,0 +1 @@
+password: string
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst1.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst1.json
@@ -0,0 +1,3 @@
+{
+  "password": "$pwd"
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst2.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst2.json
@@ -0,0 +1,3 @@
+{
+  "password": "%pwd%"
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst3.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst3.json
@@ -0,0 +1,3 @@
+{
+  "password": "${pwd:foo}"
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst4.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst4.json
@@ -0,0 +1,3 @@
+{
+  "cmd": "script.sh password='secret'"
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst5.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst5.json
@@ -0,0 +1,3 @@
+{
+  "cmd": "script.sh password=%s"
+}
--- a/javascript/ql/test/query-tests/Security/CWE-313/tst6.json
+++ b/javascript/ql/test/query-tests/Security/CWE-313/tst6.json
@@ -0,0 +1,3 @@
+{
+  "foo": "password==bar"
+}