hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-09 00:54:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e2b37f97b0dcaee73dafa5925cc3a71e7629c532
codeql/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll
Erik Krogh Kristensen 9cf0a94e4d use some Sanitizer classes that were unused in the query code
2022-03-13 23:54:53 +01:00

40 lines
1.4 KiB
Plaintext
Raw Blame History

/**
* Provides a data flow configuration for reasoning about hardcoded
* credentials.
* Note, for performance reasons: only import this file if
* `HardcodedCredentials::Configuration` is needed, otherwise
* `HardcodedCredentialsCustomizations` should be imported instead.
*/
import javascript
import HardcodedCredentialsCustomizations::HardcodedCredentials
/**
* A data flow tracking configuration for hardcoded credentials.
*/
class Configuration extends DataFlow::Configuration {
Configuration() { this = "HardcodedCredentials" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isBarrier(DataFlow::Node node) {
super.isBarrier(node) or
node instanceof Sanitizer
}
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
or
trg.(StringOps::ConcatenationRoot).getALeaf() = src and
not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
or
exists(DataFlow::MethodCallNode bufferFrom |
bufferFrom = DataFlow::globalVarRef("Buffer").getAMethodCall("from") and
trg = bufferFrom and
src = bufferFrom.getArgument(0)
)
}
}
Reference in New Issue View Git Blame Copy Permalink