better support for browser based fetch API

Author: erik-krogh

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -1145,22 +1145,31 @@ module NodeJSLib {
     DataFlow::SourceNode moduleImport() {
       result = DataFlow::moduleImport(["node-fetch", "cross-fetch", "isomorphic-fetch"])
       or
-      result = DataFlow::globalVarRef("fetch")
+      result = DataFlow::globalVarRef("fetch") // https://fetch.spec.whatwg.org/#fetch-api
+    }
+
+    /**
+     * Gets an instance of the `Headers` class.
+     */
+    private DataFlow::NewNode header() {
+      result = moduleImport().getAConstructorInvocation("Headers")
+      or
+      result = DataFlow::globalVarRef("Headers").getAnInstantiation() // https://fetch.spec.whatwg.org/#headers-class
     }
 
     /** An expression that is passed as `http.request({ auth: <expr> }, ...)`. */
-    class FetchAuthorization extends CredentialsExpr {
+    private class FetchAuthorization extends CredentialsExpr {
       FetchAuthorization() {
         exists(DataFlow::Node headers |
-          headers = moduleImport().getAConstructorInvocation("Headers").getArgument(0)
+          headers = header().getArgument(0)
           or
           headers = moduleImport().getACall().getOptionArgument(1, "headers")
         |
           this = headers.getALocalSource().getAPropertyWrite("Authorization").getRhs().asExpr()
         )
         or
         exists(DataFlow::MethodCallNode appendCall |
-          appendCall = moduleImport().getAConstructorInvocation("Headers").getAMethodCall(["append", "set"]) and
+          appendCall = header().getAMethodCall(["append", "set"]) and
           appendCall.getArgument(0).mayHaveStringValue("Authorization") and
           this = appendCall.getArgument(1).asExpr()
         )

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

@@ -185,6 +185,20 @@ nodes
 | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
 | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
 | HardcodedCredentials.js:204:44:204:47 | AUTH |
+| HardcodedCredentials.js:214:11:214:25 | USER |
+| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' |
+| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' |
+| HardcodedCredentials.js:215:11:215:25 | PASS |
+| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' |
+| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' |
+| HardcodedCredentials.js:216:11:216:49 | AUTH |
+| HardcodedCredentials.js:216:18:216:49 | base64. ... PASS}`) |
+| HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
+| HardcodedCredentials.js:216:35:216:38 | USER |
+| HardcodedCredentials.js:216:43:216:46 | PASS |
+| HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
+| HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
+| HardcodedCredentials.js:221:46:221:49 | AUTH |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -265,6 +279,19 @@ edges
 | HardcodedCredentials.js:195:46:195:49 | AUTH | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` |
 | HardcodedCredentials.js:204:44:204:47 | AUTH | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
 | HardcodedCredentials.js:204:44:204:47 | AUTH | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` |
+| HardcodedCredentials.js:214:11:214:25 | USER | HardcodedCredentials.js:216:35:216:38 | USER |
+| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:11:214:25 | USER |
+| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:11:214:25 | USER |
+| HardcodedCredentials.js:215:11:215:25 | PASS | HardcodedCredentials.js:216:43:216:46 | PASS |
+| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:11:215:25 | PASS |
+| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:11:215:25 | PASS |
+| HardcodedCredentials.js:216:11:216:49 | AUTH | HardcodedCredentials.js:221:46:221:49 | AUTH |
+| HardcodedCredentials.js:216:18:216:49 | base64. ... PASS}`) | HardcodedCredentials.js:216:11:216:49 | AUTH |
+| HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` | HardcodedCredentials.js:216:18:216:49 | base64. ... PASS}`) |
+| HardcodedCredentials.js:216:35:216:38 | USER | HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
+| HardcodedCredentials.js:216:43:216:46 | PASS | HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
+| HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
+| HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
@@ -327,3 +354,5 @@ edges
 | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | authorization headers |
 | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | authorization headers |
 | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | authorization headers |
+| HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization headers |
+| HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization headers |

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

@@ -206,4 +206,21 @@
         method: 'get',
         headers: headers2
     });
+});
+
+(function () {
+    const base64 = require('base-64');
+
+    const USER = 'sdsdag';
+    const PASS = 'sdsdag';
+    const AUTH = base64.encode(`${USER}:${PASS}`);
+
+    // browser API
+    var headers = new Headers();
+    headers.append("Content-Type", 'application/json');
+    headers.append("Authorization", `Basic ${AUTH}`);
+    fetch(ENDPOINT, {
+        method: 'get',
+        headers: headers
+    });
 });