Merge branch 'main' into js/shared-dataflow

2026-04-26 17:25:19 +02:00 · 2024-06-25 11:48:41 +02:00
parent bd3fccd1a8 e0e5bdec8a
commit ecf418b8f6
2477 changed files with 100491 additions and 79725 deletions
--- a/javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp
+++ b/javascript/ql/src/Security/CWE-338/InsecureRandomness.qhelp
@@ -36,7 +36,7 @@
 		<p>

 			For JavaScript in the browser,
-			<code>RandomSource.getRandomValues</code> provides a cryptographically
+			<code>crypto.getRandomValues</code> provides a cryptographically
 			secure pseudo-random number generator.

 		</p>
@@ -69,7 +69,7 @@

 	<references>
 		<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Pseudorandom_number_generator">Pseudo-random number generator</a>.</li>
-		<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues">RandomSource.getRandomValues</a>.</li>
+		<li>Mozilla Developer Network: <a href="https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues">Crypto: getRandomValues()</a>.</li>
 		<li>NodeJS: <a href="https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback">crypto.randomBytes</a></li>
 	</references>
 </qhelp>
--- a/javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js
+++ b/javascript/ql/src/Security/CWE-338/examples/InsecureRandomness_fixed.js
@@ -2,5 +2,7 @@ function securePassword() {
    // GOOD: the random suffix is cryptographically secure
    var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];
    var password = "myPassword" + suffix;
-    return password;
+    
+    // GOOD: if a random value between 0 and 1 is desired
+    var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);
 }
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
@@ -19,6 +19,10 @@
  If possible, store configuration files including credential data separately from the source code,
  in a secure location with restricted access.
 </p>
+<p>
+  If the credentials are a placeholder value, make sure the value is obviously a placeholder by 
+  using a name such as <code>"SampleToken"</code> or <code>"MyPassword"</code>.
+</p>
 </recommendation>

 <example>
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -30,7 +30,7 @@ where
      // exclude dummy passwords and templates
      not (
        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() =
-          ["password", "credentials", "token"] and
+          ["password", "credentials", "token", "key"] and
        PasswordHeuristics::isDummyPassword(val)
        or
        sink.getNode().(Sink).getKind() = "authorization header" and