update tests

am0o0 · am0o0 · commit d77513579f3f · 2024-05-25T12:15:25.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -213,6 +213,11 @@ nodes
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:246:42:246:51 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:249:23:249:31 | publicKey |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
@@ -283,6 +288,50 @@ nodes
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
+| HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" |
+| HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:52:317:61 | privateKey |
+| HardcodedCredentials.js:320:11:323:29 | spki |
+| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` |
+| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` |
+| HardcodedCredentials.js:324:11:324:58 | publicKey |
+| HardcodedCredentials.js:324:23:324:58 | await j ... RS256') |
+| HardcodedCredentials.js:324:45:324:48 | spki |
+| HardcodedCredentials.js:325:27:325:35 | publicKey |
+| HardcodedCredentials.js:325:27:325:35 | publicKey |
+| HardcodedCredentials.js:331:9:331:43 | secretKey |
+| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:336:21:336:29 | secretKey |
+| HardcodedCredentials.js:336:21:336:29 | secretKey |
+| HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:347:33:347:41 | secretKey |
+| HardcodedCredentials.js:362:9:362:43 | secretKey |
+| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:365:24:365:32 | secretKey |
+| HardcodedCredentials.js:365:24:365:32 | secretKey |
+| HardcodedCredentials.js:372:31:372:39 | secretKey |
+| HardcodedCredentials.js:372:31:372:39 | secretKey |
+| HardcodedCredentials.js:383:9:383:43 | secretKey |
+| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:386:17:386:25 | secretKey |
+| HardcodedCredentials.js:386:17:386:25 | secretKey |
+| HardcodedCredentials.js:401:9:401:43 | secretKey |
+| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" |
+| HardcodedCredentials.js:403:27:403:35 | secretKey |
+| HardcodedCredentials.js:403:27:403:35 | secretKey |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -384,10 +433,15 @@ edges
 | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
 | HardcodedCredentials.js:237:47:237:54 | username | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
 | HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
+| HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:9:245:44 | privateKey | HardcodedCredentials.js:246:42:246:51 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:9:245:44 | privateKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:9:248:42 | publicKey | HardcodedCredentials.js:249:23:249:31 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:9:248:42 | publicKey |
 | HardcodedCredentials.js:260:30:260:40 | `Basic foo` | HardcodedCredentials.js:260:30:260:40 | `Basic foo` |
 | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
 | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' | HardcodedCredentials.js:268:30:268:73 | `${foo  ... Token}` |
@@ -415,6 +469,43 @@ edges
 | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
 | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
+| HardcodedCredentials.js:308:9:308:44 | privateKey | HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:308:9:308:44 | privateKey | HardcodedCredentials.js:309:34:309:43 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:9:308:44 | privateKey |
+| HardcodedCredentials.js:316:9:316:44 | privateKey | HardcodedCredentials.js:317:52:317:61 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:9:316:44 | privateKey |
+| HardcodedCredentials.js:317:52:317:61 | privateKey | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:317:52:317:61 | privateKey | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) |
+| HardcodedCredentials.js:320:11:323:29 | spki | HardcodedCredentials.js:324:45:324:48 | spki |
+| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` | HardcodedCredentials.js:320:11:323:29 | spki |
+| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` | HardcodedCredentials.js:320:11:323:29 | spki |
+| HardcodedCredentials.js:324:11:324:58 | publicKey | HardcodedCredentials.js:325:27:325:35 | publicKey |
+| HardcodedCredentials.js:324:11:324:58 | publicKey | HardcodedCredentials.js:325:27:325:35 | publicKey |
+| HardcodedCredentials.js:324:23:324:58 | await j ... RS256') | HardcodedCredentials.js:324:11:324:58 | publicKey |
+| HardcodedCredentials.js:324:45:324:48 | spki | HardcodedCredentials.js:324:23:324:58 | await j ... RS256') |
+| HardcodedCredentials.js:331:9:331:43 | secretKey | HardcodedCredentials.js:336:21:336:29 | secretKey |
+| HardcodedCredentials.js:331:9:331:43 | secretKey | HardcodedCredentials.js:336:21:336:29 | secretKey |
+| HardcodedCredentials.js:331:9:331:43 | secretKey | HardcodedCredentials.js:347:33:347:41 | secretKey |
+| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:331:9:331:43 | secretKey |
+| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:331:9:331:43 | secretKey |
+| HardcodedCredentials.js:347:33:347:41 | secretKey | HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:347:33:347:41 | secretKey | HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") |
+| HardcodedCredentials.js:362:9:362:43 | secretKey | HardcodedCredentials.js:365:24:365:32 | secretKey |
+| HardcodedCredentials.js:362:9:362:43 | secretKey | HardcodedCredentials.js:365:24:365:32 | secretKey |
+| HardcodedCredentials.js:362:9:362:43 | secretKey | HardcodedCredentials.js:372:31:372:39 | secretKey |
+| HardcodedCredentials.js:362:9:362:43 | secretKey | HardcodedCredentials.js:372:31:372:39 | secretKey |
+| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:362:9:362:43 | secretKey |
+| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:362:9:362:43 | secretKey |
+| HardcodedCredentials.js:383:9:383:43 | secretKey | HardcodedCredentials.js:386:17:386:25 | secretKey |
+| HardcodedCredentials.js:383:9:383:43 | secretKey | HardcodedCredentials.js:386:17:386:25 | secretKey |
+| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" | HardcodedCredentials.js:383:9:383:43 | secretKey |
+| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" | HardcodedCredentials.js:383:9:383:43 | secretKey |
+| HardcodedCredentials.js:401:9:401:43 | secretKey | HardcodedCredentials.js:403:27:403:35 | secretKey |
+| HardcodedCredentials.js:401:9:401:43 | secretKey | HardcodedCredentials.js:403:27:403:35 | secretKey |
+| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:401:9:401:43 | secretKey |
+| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:401:9:401:43 | secretKey |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -478,6 +569,16 @@ edges
 | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | authorization header |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
+| HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:248:21:248:42 | "myHard ... licKey" | HardcodedCredentials.js:249:23:249:31 | publicKey | The hard-coded value "myHardCodedPublicKey" is used as $@. | HardcodedCredentials.js:249:23:249:31 | publicKey | key |
 | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic  ... sdsdag` | authorization header |
 | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | authorization header |
 | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |
+| HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:308:22:308:44 | "myHard ... ateKey" | HardcodedCredentials.js:309:34:309:43 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:309:34:309:43 | privateKey | key |
+| HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:316:22:316:44 | "myHard ... ateKey" | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:317:27:317:62 | new Tex ... ateKey) | key |
+| HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` | HardcodedCredentials.js:320:18:323:29 | `-----B ... Y-----` | HardcodedCredentials.js:325:27:325:35 | publicKey | The hard-coded value "-----BEGIN PUBLIC KEY-----\n    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9\n    ...\n    -----END PUBLIC KEY-----" is used as $@. | HardcodedCredentials.js:325:27:325:35 | publicKey | key |
+| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:336:21:336:29 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:336:21:336:29 | secretKey | key |
+| HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:331:21:331:43 | "myHard ... ateKey" | HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:347:21:347:52 | Buffer. ... ase64") | key |
+| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:365:24:365:32 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:365:24:365:32 | secretKey | key |
+| HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:362:21:362:43 | "myHard ... ateKey" | HardcodedCredentials.js:372:31:372:39 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:372:31:372:39 | secretKey | key |
+| HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" | HardcodedCredentials.js:383:21:383:43 | "myHard ... ateKey" | HardcodedCredentials.js:386:17:386:25 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:386:17:386:25 | secretKey | key |
+| HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:401:21:401:43 | "myHard ... ateKey" | HardcodedCredentials.js:403:27:403:35 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:403:27:403:35 | secretKey | key |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -300,4 +300,105 @@
     require('crypto').createHmac('sha256', 'SampleToken'); // OK
     require('crypto').createHmac('sha256', 'MyPassword'); // OK
     require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
+})();
+
+(function () {
+    const jwt_simple = require("jwt-simple");
+
+    var privateKey = "myHardCodedPrivateKey";
+    jwt_simple.decode(UserToken, privateKey); // NOT OK
+})();
+
+
+(async function () {
+    const jose = require("jose");
+
+    var privateKey = "myHardCodedPrivateKey";
+    jose.jwtVerify(token, new TextEncoder().encode(privateKey)) // NOT OK
+
+
+    const spki = `-----BEGIN PUBLIC KEY-----
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhYOFK2Ocbbpb/zVypi9
+    ...
+    -----END PUBLIC KEY-----`
+    const publicKey = await jose.importSPKI(spki, 'RS256')
+    jose.jwtVerify(token, publicKey) // NOT OK
+})();
+
+(function () {
+    const expressjwt = require("express-jwt");
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    app.get(
+        "/protected",
+        expressjwt.expressjwt({
+            secret: secretKey, algorithms: ["HS256"] // NOT OK
+        }),
+        function (req, res) {
+            if (!req.auth.admin) return res.sendStatus(401);
+            res.sendStatus(200);
+        }
+    );
+
+    app.get(
+        "/protected",
+        expressjwt.expressjwt({
+            secret: Buffer.from(secretKey, "base64"), // NOT OK
+            algorithms: ["RS256"],
+        }),
+        function (req, res) {
+            if (!req.auth.admin) return res.sendStatus(401);
+            res.sendStatus(200);
+        }
+    );
+
+})();
+
+(function () {
+    const JwtStrategy = require('passport-jwt').Strategy;
+    const passport = require('passport')
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    const opts = {}
+    opts.secretOrKey = secretKey; // NOT OK
+    passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+
+    passport.use(new JwtStrategy({
+        secretOrKeyProvider: function (request, rawJwtToken, done) {
+            return done(null, secretKey) // NOT OK
+        }
+    }, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+})();
+
+(function () {
+    import NextAuth from "next-auth"
+    import AppleProvider from "next-auth/providers/apple"
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    NextAuth({
+        secret: secretKey, // NOT OK
+        providers: [
+            AppleProvider({
+                clientId: process.env.APPLE_ID,
+                clientSecret: process.env.APPLE_SECRET,
+            }),
+        ],
+    })
+})();
+
+(function () {
+    const Koa = require('koa');
+    const jwt = require('koa-jwt');
+    const app = new Koa();
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    app.use(jwt({ secret: secretKey })); // NOT OK
 })();
