Skip to content

Commit 378b0bf

Browse files
asger-semmleasger-semmle
committed
JS: Do not treat the empty string as a credential
1 parent 6d10731 commit 378b0bf

File tree

2 files changed

+15
-5
lines changed

2 files changed

+15
-5
lines changed

javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,10 @@ module HardcodedCredentials {
2828
/** A constant string, considered as a source of hardcoded credentials. */
2929
class ConstantStringSource extends Source, DataFlow::ValueNode {
3030
override ConstantString astNode;
31+
32+
ConstantStringSource() {
33+
not astNode.getStringValue() = ""
34+
}
3135
}
3236

3337
/**
@@ -37,11 +41,6 @@ module HardcodedCredentials {
3741
class DefaultCredentialsSink extends Sink, DataFlow::ValueNode {
3842
override CredentialsExpr astNode;
3943

40-
DefaultCredentialsSink() {
41-
// Don't flag an empty user name
42-
not (astNode.getCredentialsKind() = "user name" and astNode.getStringValue() = "")
43-
}
44-
4544
override string getKind() { result = astNode.getCredentialsKind() }
4645
}
4746
}

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,3 +144,14 @@
144144
}
145145
});
146146
})();
147+
148+
(function(){
149+
var request = require('request');
150+
let pass = getPassword() || '';
151+
request.get(url, { // OK
152+
'auth': {
153+
'user': process.env.USER || '',
154+
'pass': pass,
155+
}
156+
});
157+
})();

0 commit comments

Comments
 (0)