ignore deliberately hardcoded password strings

esbena · esbena · commit 816d79692b62 · 2022-02-16T09:47:01.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
@@ -214,7 +214,8 @@ module PasswordHeuristics {
     or
     exists(string normalized | normalized = password.toLowerCase() |
       count(normalized.charAt(_)) = 1 or
-      normalized.regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth).*")
+      normalized
+          .regexpMatch(".*(pass|test|sample|example|secret|root|admin|user|change|auth|fake|(my(token|password))|string|foo|bar|baz|qux|1234|3141|abcd).*")
     )
   }
 
diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -17,20 +17,26 @@ import javascript
 import semmle.javascript.security.dataflow.HardcodedCredentialsQuery
 import DataFlow::PathGraph
 
+bindingset[s]
+predicate looksLikeATemplate(string s) { s.regexpMatch(".*((\\{\\{.*\\}\\})|(<.*>)|(\\(.*\\))).*") }
+
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
 where
   cfg.hasFlowPath(source, sink) and
   // use source value in message if it's available
   if source.getNode().asExpr() instanceof ConstantString
   then
     exists(string val | val = source.getNode().getStringValue() |
-      // exclude dummy passwords
+      // exclude dummy passwords and templates
       not (
-        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "password" and
+        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() =
+          ["password", "credentials", "token"] and
         PasswordHeuristics::isDummyPassword(val)
         or
         sink.getNode().(Sink).getKind() = "authorization header" and
         PasswordHeuristics::isDummyAuthHeader(val)
+        or
+        looksLikeATemplate(val)
       ) and
       value = "The hard-coded value \"" + val + "\""
     )
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -386,9 +386,6 @@ edges
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
-| HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | The hard-coded value "user:hgfedcba" is used as $@. | HardcodedCredentials.js:15:36:15:50 | "user:hgfedcba" | credentials |
-| HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | The hard-coded value "user:hgfedcba" is used as $@. | HardcodedCredentials.js:16:37:16:51 | "user:hgfedcba" | credentials |
-| HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:18:16:18:30 | "user:hgfedcba" | HardcodedCredentials.js:20:36:20:51 | getCredentials() | The hard-coded value "user:hgfedcba" is used as $@. | HardcodedCredentials.js:20:36:20:51 | getCredentials() | credentials |
 | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | HardcodedCredentials.js:27:25:27:31 | 'admin' | The hard-coded value "admin" is used as $@. | HardcodedCredentials.js:27:25:27:31 | 'admin' | user name |
 | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:27:34:27:43 | 'hgfedcba' | password |
 | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | The hard-coded value "unknown-admin-name" is used as $@. | HardcodedCredentials.js:29:11:29:30 | 'unknown-admin-name' | user name |
@@ -449,15 +446,3 @@ edges
 | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | authorization header |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
-| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | The hard-coded value "user:{{ INSERT_HERE }}" is used as $@. | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | credentials |
-| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | The hard-coded value "user:token {{ INSERT_HERE }}" is used as $@. | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | credentials |
-| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | The hard-coded value "user:( INSERT_HERE )" is used as $@. | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | credentials |
-| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | The hard-coded value "user:{{ env.access_token }}" is used as $@. | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | credentials |
-| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | credentials |
-| HardcodedCredentials.js:280:36:280:50 | "user:12345678" | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | The hard-coded value "user:12345678" is used as $@. | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | credentials |
-| HardcodedCredentials.js:281:36:281:45 | "user:foo" | HardcodedCredentials.js:281:36:281:45 | "user:foo" | HardcodedCredentials.js:281:36:281:45 | "user:foo" | The hard-coded value "user:foo" is used as $@. | HardcodedCredentials.js:281:36:281:45 | "user:foo" | credentials |
-| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | The hard-coded value "user:mypassword" is used as $@. | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | credentials |
-| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | The hard-coded value "user:mytoken" is used as $@. | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | credentials |
-| HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | The hard-coded value "user:fake token" is used as $@. | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | credentials |
-| HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | The hard-coded value "user:dcba" is used as $@. | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | credentials |
-| HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | The hard-coded value "user:custom string" is used as $@. | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | credentials |

Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,8 @@ module PasswordHeuristics {`
`214`	`214`	`or`
`215`	`215`	`exists(string normalized \| normalized = password.toLowerCase() \|`
`216`	`216`	`count(normalized.charAt(_)) = 1 or`
`217`		`- normalized.regexpMatch(".(pass\|test\|sample\|example\|secret\|root\|admin\|user\|change\|auth).")`
	`217`	`+ normalized`
	`218`	`+ .regexpMatch(".(pass\|test\|sample\|example\|secret\|root\|admin\|user\|change\|auth\|fake\|(my(token\|password))\|string\|foo\|bar\|baz\|qux\|1234\|3141\|abcd).")`
`218`	`219`	`)`
`219`	`220`	`}`
`220`	`221`