hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

update tests

Browse Source
This commit is contained in:
am0o0
2024-05-25 12:15:25 +02:00
parent 2226f5126b
commit d77513579f
2 changed files with 202 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View File

@@ -213,6 +213,11 @@ nodes
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
| HardcodedCredentials.js:246:42:246:51 | privateKey |
| HardcodedCredentials.js:246:42:246:51 | privateKey |
| HardcodedCredentials.js:248:9:248:42 | publicKey |
| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
| HardcodedCredentials.js:249:23:249:31 | publicKey |
| HardcodedCredentials.js:249:23:249:31 | publicKey |
| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
| HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
@@ -283,6 +288,50 @@ nodes
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
| HardcodedCredentials.js:308:9:308:44 | privateKey |
| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" |
| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" |
| HardcodedCredentials.js:309:34:309:43 | privateKey |
| HardcodedCredentials.js:309:34:309:43 | privateKey |
| HardcodedCredentials.js:316:9:316:44 | privateKey |
| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" |
| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" |
| HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
| HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
| HardcodedCredentials.js:317:52:317:61 | privateKey |
| HardcodedCredentials.js:320:11:323:29 | spki |
| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` |
| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` |
| HardcodedCredentials.js:324:11:324:58 | publicKey |
| HardcodedCredentials.js:324:23:324:58 | await j ... RS256') |
| HardcodedCredentials.js:324:45:324:48 | spki |
| HardcodedCredentials.js:325:27:325:35 | publicKey |
| HardcodedCredentials.js:325:27:325:35 | publicKey |
| HardcodedCredentials.js:331:9:331:43 | secretKey |
| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" |
| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" |
| HardcodedCredentials.js:336:21:336:29 | secretKey |
| HardcodedCredentials.js:336:21:336:29 | secretKey |
| HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") |
| HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") |
| HardcodedCredentials.js:347:33:347:41 | secretKey |
| HardcodedCredentials.js:362:9:362:43 | secretKey |
| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" |
| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" |
| HardcodedCredentials.js:365:24:365:32 | secretKey |
| HardcodedCredentials.js:365:24:365:32 | secretKey |
| HardcodedCredentials.js:372:31:372:39 | secretKey |
| HardcodedCredentials.js:372:31:372:39 | secretKey |
| HardcodedCredentials.js:383:9:383:43 | secretKey |
| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" |
| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" |
| HardcodedCredentials.js:386:17:386:25 | secretKey |
| HardcodedCredentials.js:386:17:386:25 | secretKey |
| HardcodedCredentials.js:401:9:401:43 | secretKey |
| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" |
| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" |
| HardcodedCredentials.js:403:27:403:35 | secretKey |
| HardcodedCredentials.js:403:27:403:35 | secretKey |
edges
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -384,10 +433,15 @@ edges
| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') |
| HardcodedCredentials.js:237:47:237:54 | username | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
| HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
| HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
| HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
| HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
| HardcodedCredentials.js:260:30:260:40 | `Basic foo` | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
| HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo ... Token}` |
| HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo ... Token}` |
@@ -415,6 +469,43 @@ edges
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
| HardcodedCredentials.js:308:9:308:44 | privateKey | HardcodedCredentials.js:309:34:309:43 | privateKey |
| HardcodedCredentials.js:308:9:308:44 | privateKey | HardcodedCredentials.js:309:34:309:43 | privateKey |
| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:9:308:44 | privateKey |
| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:9:308:44 | privateKey |
| HardcodedCredentials.js:316:9:316:44 | privateKey | HardcodedCredentials.js:317:52:317:61 | privateKey |
| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:9:316:44 | privateKey |
| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:9:316:44 | privateKey |
| HardcodedCredentials.js:317:52:317:61 | privateKey | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
| HardcodedCredentials.js:317:52:317:61 | privateKey | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
| HardcodedCredentials.js:320:11:323:29 | spki | HardcodedCredentials.js:324:45:324:48 | spki |
| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` | HardcodedCredentials.js:320:11:323:29 | spki |
| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` | HardcodedCredentials.js:320:11:323:29 | spki |
| HardcodedCredentials.js:324:11:324:58 | publicKey | HardcodedCredentials.js:325:27:325:35 | publicKey |
| HardcodedCredentials.js:324:11:324:58 | publicKey | HardcodedCredentials.js:325:27:325:35 | publicKey |
| HardcodedCredentials.js:324:23:324:58 | await j ... RS256') | HardcodedCredentials.js:324:11:324:58 | publicKey |
| HardcodedCredentials.js:324:45:324:48 | spki | HardcodedCredentials.js:324:23:324:58 | await j ... RS256') |
| HardcodedCredentials.js:331:9:331:43 | secretKey | HardcodedCredentials.js:336:21:336:29 | secretKey |
| HardcodedCredentials.js:331:9:331:43 | secretKey | HardcodedCredentials.js:336:21:336:29 | secretKey |
| HardcodedCredentials.js:331:9:331:43 | secretKey | HardcodedCredentials.js:347:33:347:41 | secretKey |
| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:331:9:331:43 | secretKey |
| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:331:9:331:43 | secretKey |
| HardcodedCredentials.js:347:33:347:41 | secretKey | HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") |
| HardcodedCredentials.js:347:33:347:41 | secretKey | HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") |
| HardcodedCredentials.js:362:9:362:43 | secretKey | HardcodedCredentials.js:365:24:365:32 | secretKey |
| HardcodedCredentials.js:362:9:362:43 | secretKey | HardcodedCredentials.js:365:24:365:32 | secretKey |
| HardcodedCredentials.js:362:9:362:43 | secretKey | HardcodedCredentials.js:372:31:372:39 | secretKey |
| HardcodedCredentials.js:362:9:362:43 | secretKey | HardcodedCredentials.js:372:31:372:39 | secretKey |
| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:362:9:362:43 | secretKey |
| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:362:9:362:43 | secretKey |
| HardcodedCredentials.js:383:9:383:43 | secretKey | HardcodedCredentials.js:386:17:386:25 | secretKey |
| HardcodedCredentials.js:383:9:383:43 | secretKey | HardcodedCredentials.js:386:17:386:25 | secretKey |
| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" | HardcodedCredentials.js:383:9:383:43 | secretKey |
| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" | HardcodedCredentials.js:383:9:383:43 | secretKey |
| HardcodedCredentials.js:401:9:401:43 | secretKey | HardcodedCredentials.js:403:27:403:35 | secretKey |
| HardcodedCredentials.js:401:9:401:43 | secretKey | HardcodedCredentials.js:403:27:403:35 | secretKey |
| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:401:9:401:43 | secretKey |
| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:401:9:401:43 | secretKey |
#select
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -478,6 +569,16 @@ edges
| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic ... ase64') | authorization header |
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:249:23:249:31 | publicKey | The hard-coded value "myHardCodedPublicKey" is used as $@. | HardcodedCredentials.js:249:23:249:31 | publicKey | key |
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | authorization header |
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | authorization header |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |
| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:309:34:309:43 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:309:34:309:43 | privateKey | key |
| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) | key |
| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` | HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` | HardcodedCredentials.js:325:27:325:35 | publicKey | The hard-coded value "-----BEGIN PUBLIC KEY-----\n MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9\n ...\n -----END PUBLIC KEY-----" is used as $@. | HardcodedCredentials.js:325:27:325:35 | publicKey | key |
| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:336:21:336:29 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:336:21:336:29 | secretKey | key |
| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") | key |
| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:365:24:365:32 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:365:24:365:32 | secretKey | key |
| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:372:31:372:39 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:372:31:372:39 | secretKey | key |
| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" | HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" | HardcodedCredentials.js:386:17:386:25 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:386:17:386:25 | secretKey | key |
| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:403:27:403:35 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:403:27:403:35 | secretKey | key |

101
javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View File

@@ -300,4 +300,105 @@
require('crypto').createHmac('sha256', 'SampleToken'); // OK
require('crypto').createHmac('sha256', 'MyPassword'); // OK
require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
})();
(function () {
const jwt_simple = require("jwt-simple");
var privateKey = "myHardCodedPrivateKey";
jwt_simple.decode(UserToken, privateKey); // NOT OK
})();
(async function () {
const jose = require("jose");
var privateKey = "myHardCodedPrivateKey";
jose.jwtVerify(token, new TextEncoder().encode(privateKey)) // NOT OK
const spki = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9
...
-----END PUBLIC KEY-----`
const publicKey = await jose.importSPKI(spki, 'RS256')
jose.jwtVerify(token, publicKey) // NOT OK
})();
(function () {
const expressjwt = require("express-jwt");
var secretKey = "myHardCodedPrivateKey";
app.get(
"/protected",
expressjwt.expressjwt({
secret: secretKey, algorithms: ["HS256"] // NOT OK
}),
function (req, res) {
if (!req.auth.admin) return res.sendStatus(401);
res.sendStatus(200);
}
);
app.get(
"/protected",
expressjwt.expressjwt({
secret: Buffer.from(secretKey, "base64"), // NOT OK
algorithms: ["RS256"],
}),
function (req, res) {
if (!req.auth.admin) return res.sendStatus(401);
res.sendStatus(200);
}
);
})();
(function () {
const JwtStrategy = require('passport-jwt').Strategy;
const passport = require('passport')
var secretKey = "myHardCodedPrivateKey";
const opts = {}
opts.secretOrKey = secretKey; // NOT OK
passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
return done(null, false);
}));
passport.use(new JwtStrategy({
secretOrKeyProvider: function (request, rawJwtToken, done) {
return done(null, secretKey) // NOT OK
}
}, function (jwt_payload, done) {
return done(null, false);
}));
})();
(function () {
import NextAuth from "next-auth"
import AppleProvider from "next-auth/providers/apple"
var secretKey = "myHardCodedPrivateKey";
NextAuth({
secret: secretKey, // NOT OK
providers: [
AppleProvider({
clientId: process.env.APPLE_ID,
clientSecret: process.env.APPLE_SECRET,
}),
],
})
})();
(function () {
const Koa = require('koa');
const jwt = require('koa-jwt');
const app = new Koa();
var secretKey = "myHardCodedPrivateKey";
app.use(jwt({ secret: secretKey })); // NOT OK
})();