Skip to content

Commit a487627

Browse files
author
Max Schaefer
committed
JavaScript: Tweak PasswordInConfigurationFile alerts.
Only highlight first line, and include the password in the alert message.
1 parent 601ea22 commit a487627

File tree

3 files changed

+14
-5
lines changed

3 files changed

+14
-5
lines changed

javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
*/
1313

1414
import javascript
15+
import semmle.javascript.RestrictedLocations
1516

1617
/**
1718
* Holds if some JSON or YAML file contains a property with name `key`
@@ -45,21 +46,22 @@ predicate exclude(File f) {
4546
f.getExtension().toLowerCase() = "raml"
4647
}
4748

48-
from string key, string val, Locatable valElement
49+
from string key, string val, Locatable valElement, string pwd
4950
where
5051
config(key, val, valElement) and
5152
val != "" and
5253
// exclude possible templates
5354
not val.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
5455
(
5556
key.toLowerCase() = "password" and
57+
pwd = val and
5658
// exclude interpolations of environment variables
5759
not val.regexpMatch("\\$.*|%.*%")
5860
or
5961
key.toLowerCase() != "readme" and
6062
// look for `password=...`, but exclude `password=;`, `password="$(...)"`,
6163
// `password=%s` and `password==`
62-
val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`])(?!%s)(?!=).*")
64+
pwd = val.regexpCapture("(?is).*password\\s*=\\s*(?!;|\"?[$`]|%s|=)(\\S+).*", 1)
6365
) and
6466
not exclude(valElement.getFile())
65-
select valElement, "Avoid plaintext passwords in configuration files."
67+
select (FirstLineOf)valElement, "Hard-coded password '" + pwd + "' in configuration file."
Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
1-
| mysql-config.json:4:16:4:23 | "secret" | Avoid plaintext passwords in configuration files. |
2-
| tst4.json:2:10:2:38 | "script ... ecret'" | Avoid plaintext passwords in configuration files. |
1+
| mysql-config.json:4:16:4:23 | "secret" | Hard-coded password 'secret' in configuration file. |
2+
| tst4.json:2:10:2:38 | "script ... ecret'" | Hard-coded password ''secret'' in configuration file. |
3+
| tst7.yml:2:9:2:6 | \| | Hard-coded password 'abc' in configuration file. |
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,7 @@
11
password: $$SOME_VAR
2+
config: |
3+
[mail]
4+
host = smtp.mydomain.com
5+
port = 25
6+
username = sample_admin@mydomain.com
7+
password = abc

0 commit comments

Comments
 (0)