hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 18:33:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ada9c452f0c3e6ffaad28d247143a22ed1fc7835
codeql/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
Owen Mansel-Chan 61e8f91404 Accept MaD sanitizers for queries with MaD sinks
2026-02-17 12:45:24 +00:00

58 lines
1.6 KiB
Plaintext
Raw Blame History

/**
* Provides default sources, sinks and sanitizers for reasoning about
* hardcoded credentials, as well as extension points for adding your
* own.
*/
import semmle.javascript.filters.ClassifyFiles
import javascript
private import semmle.javascript.security.SensitiveActions
module HardcodedCredentials {
/**
* A data flow source for hardcoded credentials.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for hardcoded credentials.
*/
abstract class Sink extends DataFlow::Node {
abstract string getKind();
}
/**
* A sanitizer for hardcoded credentials.
*/
abstract class Sanitizer extends DataFlow::Node { }
/** A constant string, considered as a source of hardcoded credentials. */
class ConstantStringSource extends Source, DataFlow::ValueNode {
override ConstantString astNode;
ConstantStringSource() { not astNode.getStringValue() = "" }
}
/**
* A subclass of `Sink` that includes every `CredentialsNode`
* as a credentials sink.
*/
class DefaultCredentialsSink extends Sink instanceof CredentialsNode {
override string getKind() { result = super.getCredentialsKind() }
DefaultCredentialsSink() {
not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
}
}
/**
* Note that a sanitizer with kind `credentials-key` will sanitize flow to
* all sinks, not just sinks with the same kind.
*/
private class CredentialSanitizerFromModel extends Sanitizer {
CredentialSanitizerFromModel() {
exists(string kind | ModelOutput::barrierNode(this, "credentials-" + kind))
}
}
}
Reference in New Issue View Git Blame Copy Permalink