Added ability to detect direct write to global AWS.config

2026-04-30 19:26:02 +02:00 · 2025-04-24 11:01:35 +02:00
parent 05e4677fd1
commit f69037c176
3 changed files with 33 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/AWS.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/AWS.qll
@@ -41,6 +41,19 @@ module AWS {
      getAWSImport().getMember(getAWSServiceName()).getAnInstantiation().getReturn().asSource()
  }

+  /**
+   * Gets a node representing the AWS global config object.
+   */
+  private API::Node getAWSConfig() { result = getAWSImport().getMember("config") }
+
+  /**
+   * Gets a property write to the AWS config object.
+   * This captures assignments to AWS.config properties.
+   */
+  private DataFlow::PropWrite configAssigment() {
+    result = getAWSConfig().asSource().getAPropertyWrite()
+  }
+
  /**
   * Holds if the `i`th argument of `invk` is an object hash for `AWS.Config`.
   */
@@ -82,6 +95,20 @@ module AWS {
        or
        prop = "secretAccessKey" and kind = "password"
      )
+      or
+      // `AWS.config.accessKeyId = <user>` or `AWS.config.secretAccessKey = <password>`
+      exists(string prop, DataFlow::PropWrite propWrite |
+        propWrite = configAssigment() and
+        this = propWrite.getRhs() and
+        prop = propWrite.getPropertyName() and
+        (
+          kind = "user name" and
+          prop = "accessKeyId"
+          or
+          kind = "password" and
+          prop = "secretAccessKey"
+        )
+      )
    }

    override string getCredentialsKind() { result = kind }