Merge pull request #1314 from xiemaisi/js/fix-hardcoded-pw-fps

asger-semmle · web-flow · commit 65cbd47a2d42 · 2019-05-16T14:42:09.000+01:00
JavaScript: Further broaden the whitelist in `PasswordInConfigurationFile`.
diff --git a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -54,7 +54,7 @@ where
   (
     key.toLowerCase() = "password" and
     // exclude interpolations of environment variables
-    not val.regexpMatch("\\$\\w+|\\$[{(].+[)}]|%.*%")
+    not val.regexpMatch("\\$.*|%.*%")
     or
     key.toLowerCase() != "readme" and
     // look for `password=...`, but exclude `password=;`, `password="$(...)"`,
diff --git a/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml b/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
@@ -0,0 +1 @@
+password: $$SOME_VAR

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ where`
`54`	`54`	`(`
`55`	`55`	`key.toLowerCase() = "password" and`
`56`	`56`	`// exclude interpolations of environment variables`
`57`		`- not val.regexpMatch("\\$\\w+\|\\$[{(].+[)}]\|%.*%")`
	`57`	`+ not val.regexpMatch("\\$.\|%.%")`
`58`	`58`	`or`
`59`	`59`	`key.toLowerCase() != "readme" and`
`60`	`60`	// look for `password=...`, but exclude `password=;`, `password="$(...)"`,