recognize another kind of dummy passwords to fix an FP in hardcoded-credentials

erik-krogh · erik-krogh · commit 0a5ff1b79a29 · 2022-09-29T21:25:40.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
@@ -213,6 +213,9 @@ module PasswordHeuristics {
       normalized
           .regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth|fake|(my(token|password))|string|foo|bar|baz|qux|1234|3141|abcd).*")
     )
+    or
+    // repeats the same char more than 10 times
+    password.regexpMatch(".*([a-zA-Z0-9])\\1{10,}.*")
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -284,4 +284,13 @@
     require("http").request({auth: "user:fake token"}) // OK
     require("http").request({auth: "user:dcba"}) // OK
     require("http").request({auth: "user:custom string"}) // OK
-});
+});
+
+(function () {
+    // browser API
+    var headers = new Headers();
+    headers.append("Authorization", `Basic sdsdag:sdsdag`); // NOT OK
+    headers.append("Authorization", `Basic sdsdag:xxxxxxxxxxxxxx`); // OK
+    headers.append("Authorization", `Basic sdsdag:aaaiuogrweuibgbbbbb`); // NOT OK
+    headers.append("Authorization", `Basic sdsdag:000000000000001`); // OK
+});

Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,9 @@ module PasswordHeuristics {`
`213`	`213`	`normalized`
`214`	`214`	`.regexpMatch(".(pass\|test\|sample\|example\|secret\|root\|admin\|user\|change\|auth\|fake\|(my(token\|password))\|string\|foo\|bar\|baz\|qux\|1234\|3141\|abcd).")`
`215`	`215`	`)`
	`216`	`+ or`
	`217`	`+ // repeats the same char more than 10 times`
	`218`	`+ password.regexpMatch(".([a-zA-Z0-9])\\1{10,}.")`
`216`	`219`	`}`
`217`	`220`
`218`	`221`	`/**`