JS: Dont flag empty string as hardcoded username

asger-semmle · asger-semmle · commit 32451422031a · 2019-01-28T13:01:52.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll b/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll
@@ -41,9 +41,14 @@ module HardcodedCredentials {
    * A subclass of `Sink` that includes every `CredentialsExpr`
    * as a credentials sink.
    */
-  class DefaultCredentialsSink extends Sink {
-    DefaultCredentialsSink() { this.asExpr() instanceof CredentialsExpr }
+  class DefaultCredentialsSink extends Sink, DataFlow::ValueNode {
+    override CredentialsExpr astNode;
 
-    override string getKind() { result = this.asExpr().(CredentialsExpr).getCredentialsKind() }
+    DefaultCredentialsSink() {
+      // Don't flag an empty user name
+      not (astNode.getCredentialsKind() = "user name" and astNode.getStringValue() = "")
+    }
+
+    override string getKind() { result = astNode.getCredentialsKind() }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -134,3 +134,13 @@
 (function(){
     require("cookie-session")({ secret: "cookie-session secret" });
 })()
+
+(function(){
+    var request = require('request');
+    request.get(url, { // OK
+        'auth': {
+            'user': '',
+            'pass': process.env.PASSWORD
+        }
+    });
+})();
