hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: configsig rb/hardcoded-credentials

Browse Source
This commit is contained in:
Alex Ford
2023-09-03 16:34:44 +01:00
parent 4d1684e37b
commit cdc788b162
2 changed files with 18 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql
View File

@@ -14,7 +14,6 @@
import codeql.ruby.AST
import codeql.ruby.DataFlow
import DataFlow::PathGraph
import codeql.ruby.TaintTracking
import codeql.ruby.controlflow.CfgNodes
@@ -132,14 +131,12 @@ class CredentialSink extends DataFlow::Node {
CredentialSink() { isCredentialSink(this) }
}
class HardcodedCredentialsConfiguration extends DataFlow::Configuration {
HardcodedCredentialsConfiguration() { this = "HardcodedCredentialsConfiguration" }
private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
override predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
override predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(ExprNodes::BinaryOperationCfgNode binop |
(
binop.getLeftOperand() = node1.asExpr() or
@@ -152,7 +149,11 @@ class HardcodedCredentialsConfiguration extends DataFlow::Configuration {
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialsConfiguration conf
where conf.hasFlowPath(source, sink)
private module HardcodedCredentialsFlow = DataFlow::Global<HardcodedCredentialsConfig>;
private import HardcodedCredentialsFlow::PathGraph
from HardcodedCredentialsFlow::PathNode source, HardcodedCredentialsFlow::PathNode sink
where HardcodedCredentialsFlow::flowPath(source, sink)
select source.getNode(), source, sink, "This hardcoded value is $@.", sink.getNode(),
"used as credentials"

10
ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected
View File

@@ -3,11 +3,14 @@ edges
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:1:33:1:36 | cert |
| HardcodedCredentials.rb:18:19:18:72 | ... + ... | HardcodedCredentials.rb:1:23:1:30 | password |
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:19:18:72 | ... + ... |
| HardcodedCredentials.rb:20:1:20:7 | pw_left | HardcodedCredentials.rb:22:1:22:2 | pw |
| HardcodedCredentials.rb:20:1:20:7 | pw_left | HardcodedCredentials.rb:22:6:22:12 | pw_left |
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:1:20:7 | pw_left |
| HardcodedCredentials.rb:21:1:21:8 | pw_right | HardcodedCredentials.rb:22:1:22:2 | pw |
| HardcodedCredentials.rb:21:1:21:8 | pw_right | HardcodedCredentials.rb:22:16:22:23 | pw_right |
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:1:21:8 | pw_right |
| HardcodedCredentials.rb:22:1:22:2 | pw | HardcodedCredentials.rb:23:19:23:20 | pw |
| HardcodedCredentials.rb:22:6:22:12 | pw_left | HardcodedCredentials.rb:22:6:22:23 | ... + ... |
| HardcodedCredentials.rb:22:6:22:23 | ... + ... | HardcodedCredentials.rb:22:1:22:2 | pw |
| HardcodedCredentials.rb:22:16:22:23 | pw_right | HardcodedCredentials.rb:22:6:22:23 | ... + ... |
| HardcodedCredentials.rb:23:19:23:20 | pw | HardcodedCredentials.rb:1:23:1:30 | password |
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:31:18:31:23 | passwd |
| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:18:43:25 | username |
@@ -27,6 +30,9 @@ nodes
| HardcodedCredentials.rb:21:1:21:8 | pw_right | semmle.label | pw_right |
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | semmle.label | "4fQuzXef4f2yow8KWvIJTA==" |
| HardcodedCredentials.rb:22:1:22:2 | pw | semmle.label | pw |
| HardcodedCredentials.rb:22:6:22:12 | pw_left | semmle.label | pw_left |
| HardcodedCredentials.rb:22:6:22:23 | ... + ... | semmle.label | ... + ... |
| HardcodedCredentials.rb:22:16:22:23 | pw_right | semmle.label | pw_right |
| HardcodedCredentials.rb:23:19:23:20 | pw | semmle.label | pw |
| HardcodedCredentials.rb:31:18:31:23 | passwd | semmle.label | passwd |
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | semmle.label | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." |