hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Make py/hardcoded-credentials a path-problem

Browse Source 
and stop using deprecated hasFlow
This commit is contained in:
Rasmus Wriedt Larsen
2020-01-21 11:57:21 +01:00
parent 96d5703f2c
commit c5091f1ce7
2 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
python/ql/src/Security/CWE-798/HardcodedCredentials.ql
View File

@@ -1,7 +1,7 @@
/**
* @name Hard-coded credentials
* @description Credentials are hard coded in the source code of the application.
* @kind problem
* @kind path-problem
* @problem.severity error
* @precision medium
* @id py/hardcoded-credentials
@@ -12,6 +12,7 @@
*/
import python
import semmle.python.security.Paths
import semmle.python.security.TaintTracking
import semmle.python.filters.Tests
@@ -155,9 +156,9 @@ class HardcodedCredentialsConfiguration extends TaintTracking::Configuration {
from HardcodedCredentialsConfiguration config, TaintSource src, TaintSink sink
from HardcodedCredentialsConfiguration config, TaintedPathSource src, TaintedPathSink sink
where config.hasFlow(src, sink) and
not any(TestScope test).contains(src.(ControlFlowNode).getNode())
where config.hasFlowPath(src, sink) and
not any(TestScope test).contains(src.getAstNode())
select sink, "Use of hardcoded credentials from $@.", src, src.toString()
select sink.getSink(), src, sink, "Use of $@.", src.getSource(), "hardcoded credentials"

10
python/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View File

@@ -1,2 +1,8 @@
| test.py:14:18:14:25 | Taint sink | Use of hardcoded credentials from $@. | test.py:5:12:5:24 | Taint source | Taint source |
| test.py:15:18:15:25 | Taint sink | Use of hardcoded credentials from $@. | test.py:6:12:6:25 | Taint source | Taint source |
edges
| test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value |
| test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value |
| test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value |
| test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value |
#select
| test.py:14:18:14:25 | USERNAME | test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value | Use of $@. | test.py:5:12:5:24 | Str | hardcoded credentials |
| test.py:15:18:15:25 | PASSWORD | test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value | Use of $@. | test.py:6:12:6:25 | Str | hardcoded credentials |