codeql/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

(function() {
    const pg = require('pg');

    const client = new pg.Client({
        user: 'dbuser',  // $ Alert
        host: 'database.server.com',
        database: 'mydb',
        password: 'hgfedcba',  // $ Alert
        port: 3211,
    });
    client.connect();
})();

(function() {
    require("http").request({auth: "user:hgfedcba"});   // $ MISSING: Alert
    require("https").request({auth: "user:hgfedcba"});  // $ MISSING: Alert
    function getCredentials() {
        return "user:hgfedcba";
    }
    require("http").request({auth: getCredentials()}); // $ MISSING: Alert
    require("http").request({auth: getUnknownCredentials()});
})();

(function() {
    var basicAuth = require('express-basic-auth');

    basicAuth({users: { 'admin': 'hgfedcba' }});  // $ Alert
    var users = {};
    users['unknown-admin-name'] = 'hgfedcba'; // $ Alert
    basicAuth({users: users});
})();

(function() {
    var basicAuth = require('basic-auth-connect');
    basicAuth('username', 'hgfedcba'); // $ Alert
    basicAuth(function(){});
})();

(function() {
    var AWS = require('aws-sdk');
    AWS.config.update({ accessKeyId: 'username', secretAccessKey: 'hgfedcba'}); // $ Alert
    new AWS.Config({ accessKeyId: 'username', secretAccessKey: 'hgfedcba'}); // $ Alert
    var config = new AWS.Config();
    config.update({ accessKeyId: 'username', secretAccessKey: 'hgfedcba'}); // $ Alert
    var o = {};
    o.secretAccessKey = 'hgfedcba'; // $ Alert
    config.update(o);
})();

(function() {
    var request = require('request');

    request.get(url).auth('username', 'hgfedcba'); // $ Alert
    request.get(url, {
        'auth': {
            'user': 'username', // $ Alert
            'pass': 'hgfedcba' // $ Alert
        }
    });

    request.get(url).auth(null, null, _, 'bearerToken'); // $ Alert

    request.get(url, {
        'auth': {
            'bearer': 'bearerToken' // $ Alert
        }
    });

    request.post(url).auth('username', 'hgfedcba'); // $ Alert
    request.head(url).auth('username', 'hgfedcba'); // $ Alert

    request(url).auth('username', 'hgfedcba'); // $ Alert
    request(url, {
        'auth': {
            'user': 'username', // $ Alert
            'pass': 'hgfedcba' // $ Alert
        }
    });
})();

(function() {
    const MsRest = require('ms-rest-azure');

    MsRest.loginWithUsernamePassword('username', 'hgfedcba', function(){}); // $ Alert
    MsRest.loginWithUsernamePassword(process.env.AZURE_USER, process.env.AZURE_PASS, function(){});
    MsRest.loginWithServicePrincipalSecret('username', 'hgfedcba', function(){}); // $ Alert
})();

(function() {
    var digitalocean = require('digitalocean');
    digitalocean.client('TOKEN'); // $ Alert
    digitalocean.client(process.env.DIGITAL_OCEAN_TOKEN);
})();

(function() {
    var pkgcloud = require('pkgcloud');
    pkgcloud.compute.createClient({
        account: 'x1', // $ Alert
        keyId: 'x2',// $ Alert
        storageAccount: 'x3', // $ Alert
        username: 'x4', // $ Alert
        key: 'hgfedcba', // $ Alert
        apiKey: 'hgfedcba', // $ Alert
        storageAccessKey: 'hgfedcba', // $ Alert
        password: 'hgfedcba', // $ Alert
        token: 'hgfedcba' // $ Alert
    });
    pkgcloud.compute.createClient({
        INNOCENT_DATA: '42'
    });
    pkgcloud.providers.SOME_PROVIDER.compute.createClient({
        username: 'x5', // $ Alert
        password: 'hgfedcba' // $ Alert
    });
    pkgcloud.UNKNOWN_SERVICE.createClient({
        username: 'x6',
        password: 'hgfedcba'
    });
    pkgcloud.providers.SOME_PROVIDER.UNKNOWN_SERVICE.createClient({
        username: 'x7',
        password: 'hgfedcba'
    });
    pkgcloud.compute.createClient({
        username: process.env.USERNAME,
        password: process.env.PASSWORD
    });
})();

(function(){
    require('crypto').createHmac('sha256', 'hgfedcba'); // $ Alert
    require("crypto-js/aes").encrypt('my message', 'hgfedcba'); // $ Alert
})()

(function(){
    require("cookie-session")({ secret: "hgfedcba" }); // $ Alert
})()

(function(){
    var request = require('request');
    request.get(url, {
        'auth': {
            'user': '',
            'pass': process.env.PASSWORD
        }
    });
})();

(function(){
    var request = require('request');
    let pass = getPassword() || '';
    request.get(url, {
        'auth': {
            'user': process.env.USER || '',
            'pass': pass,
        }
    });
})();

(function(){
	require("cookie-session")({ secret: "oiuneawrgiyubaegr" }); // $ Alert
	require('crypto').createHmac('sha256', 'oiuneawrgiyubaegr'); // $ Alert

	var basicAuth = require('express-basic-auth');
	basicAuth({users: { [adminName]: 'change_me' }});
})();

(async function () {
    const base64 = require('base-64');
    const fetch = require("node-fetch");

    const USER = 'sdsdag'; // $ Alert
    const PASS = 'sdsdag'; // $ Alert
    const AUTH = base64.encode(`${USER}:${PASS}`);

    const rsp = await fetch(ENDPOINT, {
        method: 'get',
        headers: new fetch.Headers({
            "Authorization": `Basic ${AUTH}`, // $ Sink
            "Content-Type": 'application/json'
        })
    });

    fetch(ENDPOINT, {
        method: 'post',
        body: JSON.stringify(body),
        headers: {
            "Content-Type": 'application/json',
            "Authorization": `Basic ${AUTH}` // $ Sink
        },
    })

    var headers = new fetch.Headers({
        "Content-Type": 'application/json'
    });
    headers.append("Authorization", `Basic ${AUTH}`) // $ Sink
    fetch(ENDPOINT, {
        method: 'get',
        headers: headers
    });

    var headers2 = new fetch.Headers({
        "Content-Type": 'application/json'
    });
    headers2.set("Authorization", `Basic ${AUTH}`) // $ Sink
    fetch(ENDPOINT, {
        method: 'get',
        headers: headers2
    });
});

(function () {
    const base64 = require('base-64');

    const USER = 'sdsdag'; // $ Alert
    const PASS = 'sdsdag'; // $ Alert
    const AUTH = base64.encode(`${USER}:${PASS}`);

    // browser API
    var headers = new Headers();
    headers.append("Content-Type", 'application/json');
    headers.append("Authorization", `Basic ${AUTH}`); // $ Sink
    fetch(ENDPOINT, {
        method: 'get',
        headers: headers
    });
});

(async function () {
    import fetch from 'node-fetch';

    const username = 'sdsdag'; // $ Alert
    const password = config.get('some_actually_secrect_password');
    const response = await fetch(ENDPOINT, {
      method: 'get',
      headers: {
        'Content-Type': 'application/json',
        Authorization: 'Basic ' + Buffer.from(username + ':' + password).toString('base64'), // $ Sink
      },
    });
})

(function () {
    import jwt from "jsonwebtoken";

    var privateKey = "myHardCodedPrivateKey"; // $ Alert
    var token = jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'RS256'}); // $ Sink

    var publicKey = "myHardCodedPublicKey"; // $ Alert
    jwt.verify(token, publicKey, function(err, decoded) { // $ Sink
        console.log(decoded);
    });
})();

(async function () {
    const fetch = require("node-fetch");

    const rsp = await fetch(ENDPOINT, {
        method: 'get',
        headers: new fetch.Headers({
            "Authorization": `Basic foo`, // OK - dummy password
            "Content-Type": 'application/json'
        })
    });

    const rsp2 = await fetch(ENDPOINT, {
        method: 'get',
        headers: new fetch.Headers({
            "Authorization": `${foo ? 'Bearer' : 'OAuth'} ${accessToken}`, // OK - just a protocol selector
            "Content-Type": 'application/json'
        })
    });
});

(function() {
    require("http").request({auth: "user:{{ INSERT_HERE }}"});
    require("http").request({auth: "user:token {{ INSERT_HERE }}"});
    require("http").request({auth: "user:( INSERT_HERE )"});
    require("http").request({auth: "user:{{ env.access_token }}"});
    require("http").request({auth: "user:abcdefgh"});
    require("http").request({auth: "user:12345678"});
    require("http").request({auth: "user:foo"});
    require("http").request({auth: "user:mypassword"})
    require("http").request({auth: "user:mytoken"})
    require("http").request({auth: "user:fake token"})
    require("http").request({auth: "user:dcba"})
    require("http").request({auth: "user:custom string"})
});

(function () {
    // browser API
    var headers = new Headers();
    headers.append("Authorization", `Basic sdsdag:sdsdag`); // $ Alert
    headers.append("Authorization", `Basic sdsdag:xxxxxxxxxxxxxx`);
    headers.append("Authorization", `Basic sdsdag:aaaiuogrweuibgbbbbb`); // $ Alert
    headers.append("Authorization", `Basic sdsdag:000000000000001`);
});

(function () {
    require('crypto').createHmac('sha256', 'mytoken');
    require('crypto').createHmac('sha256', 'SampleToken');
    require('crypto').createHmac('sha256', 'MyPassword');
    require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // $ Alert
})();

(function () {
    const jwt_simple = require("jwt-simple");

    var privateKey = "myHardCodedPrivateKey"; // $ Alert
    jwt_simple.decode(UserToken, privateKey); // $ Sink
})();


(async function () {
    const jose = require("jose");

    var privateKey = "myHardCodedPrivateKey"; // $ Alert
    jose.jwtVerify(token, new TextEncoder().encode(privateKey)) // $ Sink

    const spki = `-----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9...
    -----END PUBLIC KEY-----` // $ Alert
    let publicKey = await jose.importSPKI(spki, 'RS256')
    jose.jwtVerify(token, publicKey) // $ Sink

    const alg = 'RS256'
    const jwk = {
        kty: 'RSA',
        n: 'whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6f...', // $ Alert
        e: 'AQAB',
    }
    publicKey = await jose.importJWK(jwk, alg)
    const jwt =
        'eyJhbGciOiJSUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjY5MDU2NDg4LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.gXrPZ3yM_60dMXGE69dusbpzYASNA-XIOwsb5D5xYnSxyj6_D6OR_uR_1vqhUm4AxZxcrH1_-XJAve9HCw8az_QzHcN-nETt-v6stCsYrn6Bv1YOc-mSJRZ8ll57KVqLbCIbjKwerNX5r2_Qg2TwmJzQdRs-AQDhy-s_DlJd8ql6wR4n-kDZpar-pwIvz4fFIN0Fj57SXpAbLrV6Eo4Byzl0xFD8qEYEpBwjrMMfxCZXTlAVhAq6KCoGlDTwWuExps342-0UErEtyIqDnDGcrfNWiUsoo8j-29IpKd-w9-C388u-ChCxoHz--H8WmMSZzx3zTXsZ5lXLZ9IKfanDKg'

    await jose.jwtVerify(jwt, publicKey, { // $ Sink
        issuer: 'urn:example:issuer',
        audience: 'urn:example:audience',
    })
})();

(function () {
    const expressjwt = require("express-jwt");

    var secretKey = "myHardCodedPrivateKey"; // $ Alert

    app.get(
        "/protected",
        expressjwt.expressjwt({
            secret: secretKey, algorithms: ["HS256"] // $ Sink
        }),
        function (req, res) {
            if (!req.auth.admin) return res.sendStatus(401);
            res.sendStatus(200);
        }
    );

    app.get(
        "/protected",
        expressjwt.expressjwt({
            secret: Buffer.from(secretKey, "base64"), // $ Sink
            algorithms: ["RS256"],
        }),
        function (req, res) {
            if (!req.auth.admin) return res.sendStatus(401);
            res.sendStatus(200);
        }
    );

})();

(function () {
    const JwtStrategy = require('passport-jwt').Strategy;
    const passport = require('passport')

    var secretKey = "myHardCodedPrivateKey"; // $ Alert

    const opts = {}
    opts.secretOrKey = secretKey; // $ Sink
    passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
        return done(null, false);
    }));

    passport.use(new JwtStrategy({
        secretOrKeyProvider: function (request, rawJwtToken, done) {
            return done(null, secretKey) // $ Sink
        }
    }, function (jwt_payload, done) {
        return done(null, false);
    }));
})();

(function () {
    import NextAuth from "next-auth"
    import AppleProvider from "next-auth/providers/apple"

    var secretKey = "myHardCodedPrivateKey"; // $ Alert

    NextAuth({
        secret: secretKey, // $ Sink
        providers: [
            AppleProvider({
                clientId: process.env.APPLE_ID,
                clientSecret: process.env.APPLE_SECRET,
            }),
        ],
    })
})();

(function () {
    const Koa = require('koa');
    const jwt = require('koa-jwt');
    const app = new Koa();

    var secretKey = "myHardCodedPrivateKey"; // $ Alert

    app.use(jwt({ secret: secretKey })); // $ Sink
})();