Skip to content

Commit 3789cb2

Browse files
authored
Merge pull request #1402 from xiemaisi/js/pwd-in-cfg-file
Approved by esben-semmle
2 parents 601ea22 + d233cea commit 3789cb2

File tree

6 files changed

+23
-8
lines changed

6 files changed

+23
-8
lines changed

change-notes/1.21/analysis-javascript.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@
4040
| Expression has no effect | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
4141
| Incomplete regular expression for hostnames | More results | This rule now tracks regular expressions for host names further. |
4242
| Incomplete string escaping or encoding | More results | This rule now considers the flow of regular expressions literals, and it no longer flags the removal of trailing newlines. |
43-
| Password in configuration file | Fewer false positive results | This query now excludes passwords that are inserted into the configuration file using a templating mechanism or read from environment variables. |
43+
| Password in configuration file | Fewer false positive results | This query now excludes passwords that are inserted into the configuration file using a templating mechanism or read from environment variables. Results are no longer shown on LGTM by default. |
4444
| Replacement of a substring with itself | More results | This rule now considers the flow of regular expressions literals. |
4545
| Server-side URL redirect | Fewer false-positive results | This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
4646
| Type confusion through parameter tampering | Fewer false-positive results | This rule now recognizes additional emptiness checks. |

javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
* @description Storing unencrypted passwords in configuration files is unsafe.
44
* @kind problem
55
* @problem.severity warning
6-
* @precision high
6+
* @precision medium
77
* @id js/password-in-configuration-file
88
* @tags security
99
* external/cwe/cwe-256
@@ -12,6 +12,7 @@
1212
*/
1313

1414
import javascript
15+
import semmle.javascript.RestrictedLocations
1516

1617
/**
1718
* Holds if some JSON or YAML file contains a property with name `key`
@@ -45,21 +46,22 @@ predicate exclude(File f) {
4546
f.getExtension().toLowerCase() = "raml"
4647
}
4748

48-
from string key, string val, Locatable valElement
49+
from string key, string val, Locatable valElement, string pwd
4950
where
5051
config(key, val, valElement) and
5152
val != "" and
5253
// exclude possible templates
5354
not val.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
5455
(
5556
key.toLowerCase() = "password" and
57+
pwd = val and
5658
// exclude interpolations of environment variables
5759
not val.regexpMatch("\\$.*|%.*%")
5860
or
5961
key.toLowerCase() != "readme" and
6062
// look for `password=...`, but exclude `password=;`, `password="$(...)"`,
6163
// `password=%s` and `password==`
62-
val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`])(?!%s)(?!=).*")
64+
pwd = val.regexpCapture("(?is).*password\\s*=\\s*(?!;|\"?[$`]|%s|=)(\\S+).*", 1)
6365
) and
6466
not exclude(valElement.getFile())
65-
select valElement, "Avoid plaintext passwords in configuration files."
67+
select (FirstLineOf)valElement, "Hard-coded password '" + pwd + "' in configuration file."

javascript/ql/src/semmle/javascript/frameworks/Templating.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,6 @@ module Templating {
3737
* storing it in its first (and only) capture group.
3838
*/
3939
string getDelimiterMatchingRegexp() {
40-
result = ".*(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
40+
result = "(?s).*(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
4141
}
4242
}
Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
1-
| mysql-config.json:4:16:4:23 | "secret" | Avoid plaintext passwords in configuration files. |
2-
| tst4.json:2:10:2:38 | "script ... ecret'" | Avoid plaintext passwords in configuration files. |
1+
| mysql-config.json:4:16:4:23 | "secret" | Hard-coded password 'secret' in configuration file. |
2+
| tst4.json:2:10:2:38 | "script ... ecret'" | Hard-coded password ''secret'' in configuration file. |
3+
| tst7.yml:2:9:2:6 | \| | Hard-coded password 'abc' in configuration file. |
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,7 @@
11
password: $$SOME_VAR
2+
config: |
3+
[mail]
4+
host = smtp.mydomain.com
5+
port = 25
6+
username = sample_admin@mydomain.com
7+
password = abc
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
config: |
2+
[mail]
3+
host = smtp.mydomain.com
4+
port = 25
5+
username = {{username}}
6+
password = {{pwd}}

0 commit comments

Comments
 (0)