Skip to content

Commit 3c80200

Browse files
erik-krogherik-krogh
committed
add support for string concatenations and base64-encoding of hardcoded credentials
1 parent b6dc94f commit 3c80200

3 files changed

Lines changed: 40 additions & 11 deletions

File tree

javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,5 +20,12 @@ module HardcodedCredentials {
2020
override predicate isSource(DataFlow::Node source) { source instanceof Source }
2121

2222
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
23+
24+
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
25+
exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
26+
or
27+
trg.(StringOps::ConcatenationRoot).getALeaf() = src and
28+
not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
29+
}
2330
}
2431
}

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

Lines changed: 29 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -162,11 +162,20 @@ nodes
162162
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
163163
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
164164
| HardcodedCredentials.js:164:35:164:45 | 'change_me' |
165-
| HardcodedCredentials.js:170:11:170:25 | PASS |
166-
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' |
167-
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' |
168-
| HardcodedCredentials.js:175:30:175:33 | PASS |
169-
| HardcodedCredentials.js:175:30:175:33 | PASS |
165+
| HardcodedCredentials.js:171:11:171:25 | USER |
166+
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' |
167+
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' |
168+
| HardcodedCredentials.js:172:11:172:25 | PASS |
169+
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' |
170+
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' |
171+
| HardcodedCredentials.js:173:11:173:49 | AUTH |
172+
| HardcodedCredentials.js:173:18:173:49 | base64. ... PASS}`) |
173+
| HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
174+
| HardcodedCredentials.js:173:35:173:38 | USER |
175+
| HardcodedCredentials.js:173:43:173:46 | PASS |
176+
| HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
177+
| HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
178+
| HardcodedCredentials.js:178:37:178:40 | AUTH |
170179
edges
171180
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
172181
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -225,10 +234,19 @@ edges
225234
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" |
226235
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' |
227236
| HardcodedCredentials.js:164:35:164:45 | 'change_me' | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
228-
| HardcodedCredentials.js:170:11:170:25 | PASS | HardcodedCredentials.js:175:30:175:33 | PASS |
229-
| HardcodedCredentials.js:170:11:170:25 | PASS | HardcodedCredentials.js:175:30:175:33 | PASS |
230-
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:11:170:25 | PASS |
231-
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:11:170:25 | PASS |
237+
| HardcodedCredentials.js:171:11:171:25 | USER | HardcodedCredentials.js:173:35:173:38 | USER |
238+
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
239+
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
240+
| HardcodedCredentials.js:172:11:172:25 | PASS | HardcodedCredentials.js:173:43:173:46 | PASS |
241+
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:11:172:25 | PASS |
242+
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:11:172:25 | PASS |
243+
| HardcodedCredentials.js:173:11:173:49 | AUTH | HardcodedCredentials.js:178:37:178:40 | AUTH |
244+
| HardcodedCredentials.js:173:18:173:49 | base64. ... PASS}`) | HardcodedCredentials.js:173:11:173:49 | AUTH |
245+
| HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` | HardcodedCredentials.js:173:18:173:49 | base64. ... PASS}`) |
246+
| HardcodedCredentials.js:173:35:173:38 | USER | HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
247+
| HardcodedCredentials.js:173:43:173:46 | PASS | HardcodedCredentials.js:173:32:173:48 | `${USER}:${PASS}` |
248+
| HardcodedCredentials.js:178:37:178:40 | AUTH | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
249+
| HardcodedCredentials.js:178:37:178:40 | AUTH | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` |
232250
#select
233251
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
234252
| HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
@@ -283,4 +301,5 @@ edges
283301
| HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "abcdefgh" | key |
284302
| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
285303
| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
286-
| HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:170:18:170:25 | 'sdsdag' | HardcodedCredentials.js:175:30:175:33 | PASS | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:175:30:175:33 | PASS | authorization headers |
304+
| HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | authorization headers |
305+
| HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:28:178:42 | `Basic ${AUTH}` | authorization headers |

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -165,14 +165,17 @@
165165
})();
166166

167167
(async function () {
168+
const base64 = require('base-64');
168169
const fetch = require("node-fetch");
169170

171+
const USER = 'sdsdag';
170172
const PASS = 'sdsdag';
173+
const AUTH = base64.encode(`${USER}:${PASS}`);
171174

172175
const rsp = await fetch(ENDPOINT, {
173176
method: 'get',
174177
headers: new fetch.Headers({
175-
'Authorization': PASS,
178+
Authorization: `Basic ${AUTH}`,
176179
'Content-Type': 'application/json'
177180
})
178181
});

0 commit comments

Comments
 (0)