JavaScript: Tweak PasswordInConfigurationFile alerts.

Max Schaefer · Max Schaefer · commit a4876270eca3 · 2019-06-05T08:09:19.000+01:00
Only highlight first line, and include the password in the alert
message.
diff --git a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -12,6 +12,7 @@
  */
 
 import javascript
+import semmle.javascript.RestrictedLocations
 
 /**
  * Holds if some JSON or YAML file contains a property with name `key`
@@ -45,21 +46,22 @@ predicate exclude(File f) {
   f.getExtension().toLowerCase() = "raml"
 }
 
-from string key, string val, Locatable valElement
+from string key, string val, Locatable valElement, string pwd
 where
   config(key, val, valElement) and
   val != "" and
   // exclude possible templates
   not val.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
   (
     key.toLowerCase() = "password" and
+    pwd = val and
     // exclude interpolations of environment variables
     not val.regexpMatch("\\$.*|%.*%")
     or
     key.toLowerCase() != "readme" and
     // look for `password=...`, but exclude `password=;`, `password="$(...)"`,
     // `password=%s` and `password==`
-    val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`])(?!%s)(?!=).*")
+    pwd = val.regexpCapture("(?is).*password\\s*=\\s*(?!;|\"?[$`]|%s|=)(\\S+).*", 1)
   ) and
   not exclude(valElement.getFile())
-select valElement, "Avoid plaintext passwords in configuration files."
+select (FirstLineOf)valElement, "Hard-coded password '" + pwd + "' in configuration file."
diff --git a/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected b/javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
@@ -1,2 +1,3 @@
-| mysql-config.json:4:16:4:23 | "secret" | Avoid plaintext passwords in configuration files. |
-| tst4.json:2:10:2:38 | "script ... ecret'" | Avoid plaintext passwords in configuration files. |
+| mysql-config.json:4:16:4:23 | "secret" | Hard-coded password 'secret' in configuration file. |
+| tst4.json:2:10:2:38 | "script ... ecret'" | Hard-coded password ''secret'' in configuration file. |
+| tst7.yml:2:9:2:6 | \| | Hard-coded password 'abc' in configuration file. |
diff --git a/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml b/javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
@@ -1 +1,7 @@
 password: $$SOME_VAR
+config: |
+    [mail]
+    host = smtp.mydomain.com
+    port = 25
+    username = sample_admin@mydomain.com
+    password = abc
