Skip to content

Commit

Permalink
Merge pull request #16417 from erik-krogh/dummyPass
Browse files Browse the repository at this point in the history 
JS: Remove some FPs from the hardcoded-credentials query
  • Loading branch information
@erik-krogh
erik-krogh authored May 7, 2024
2 parents 99940a6 + 39a8b49 commit 8b91914
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 15 deletions.
4 changes: 2 additions & 2 deletions javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1003,7 +1003,7 @@ module NodeJSLib {
exists(ClientRequestLoginCallback callback | this = callback.getACall().getArgument(0))
}

override string getCredentialsKind() { result = "Node.js http(s) client login username" }
override string getCredentialsKind() { result = "user name" }
}

/**
Expand All @@ -1014,7 +1014,7 @@ module NodeJSLib {
exists(ClientRequestLoginCallback callback | this = callback.getACall().getArgument(1))
}

override string getCredentialsKind() { result = "Node.js http(s) client login password" }
override string getCredentialsKind() { result = "password" }
}

/**
Expand Down
4 changes: 4 additions & 0 deletions javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@
If possible, store configuration files including credential data separately from the source code,
in a secure location with restricted access.
</p>
<p>
If the credentials are a placeholder value, make sure the value is obviously a placeholder by
using a name such as <code>"SampleToken"</code> or <code>"MyPassword"</code>.
</p>
</recommendation>

<example>
Expand Down
2 changes: 1 addition & 1 deletion javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ where
// exclude dummy passwords and templates
not (
sink.getNode().(Sink).(DefaultCredentialsSink).getKind() =
["password", "credentials", "token"] and
["password", "credentials", "token", "key"] and
PasswordHeuristics::isDummyPassword(val)
or
sink.getNode().(Sink).getKind() = "authorization header" and
Expand Down
37 changes: 27 additions & 10 deletions javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,12 +153,12 @@ nodes
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
| HardcodedCredentials.js:160:38:160:48 | "change_me" |
| HardcodedCredentials.js:160:38:160:48 | "change_me" |
| HardcodedCredentials.js:160:38:160:48 | "change_me" |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
Expand Down Expand Up @@ -271,6 +271,18 @@ nodes
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
edges
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
Expand Down Expand Up @@ -326,8 +338,8 @@ edges
| HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' |
| HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' |
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' |
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
| HardcodedCredentials.js:164:35:164:45 | 'change_me' | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
| HardcodedCredentials.js:171:11:171:25 | USER | HardcodedCredentials.js:173:35:173:38 | USER |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
Expand Down Expand Up @@ -399,6 +411,10 @@ edges
| HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` | HardcodedCredentials.js:293:37:293:65 | `Basic ... xxxxxx` |
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` |
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` | HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
#select
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
Expand Down Expand Up @@ -448,8 +464,8 @@ edges
| HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | key |
| HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | key |
| HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | key |
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | The hard-coded value "oiuneawrgiyubaegr" is used as $@. | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | key |
| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | The hard-coded value "oiuneawrgiyubaegr" is used as $@. | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | key |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | authorization header |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | authorization header |
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | authorization header |
Expand All @@ -464,3 +480,4 @@ edges
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | authorization header |
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | authorization header |
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |
11 changes: 9 additions & 2 deletions javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,8 @@
})();

(function(){
require("cookie-session")({ secret: "change_me" }); // NOT OK
require('crypto').createHmac('sha256', 'change_me'); // NOT OK
require("cookie-session")({ secret: "oiuneawrgiyubaegr" }); // NOT OK
require('crypto').createHmac('sha256', 'oiuneawrgiyubaegr'); // NOT OK

var basicAuth = require('express-basic-auth');
basicAuth({users: { [adminName]: 'change_me' }}); // OK
Expand Down Expand Up @@ -294,3 +294,10 @@
headers.append("Authorization", `Basic sdsdag:aaaiuogrweuibgbbbbb`); // NOT OK
headers.append("Authorization", `Basic sdsdag:000000000000001`); // OK
});

(function () {
require('crypto').createHmac('sha256', 'mytoken'); // OK
require('crypto').createHmac('sha256', 'SampleToken'); // OK
require('crypto').createHmac('sha256', 'MyPassword'); // OK
require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
})();

0 comments on commit 8b91914

Please sign in to comment.