Merge pull request #1655 from asger-semmle/hardcoded-creds-fp

semmle-qlci · web-flow · commit cff826221c43 · 2019-07-31T09:55:16.000+01:00
Approved by xiemaisi
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
@@ -28,6 +28,10 @@ module HardcodedCredentials {
   /** A constant string, considered as a source of hardcoded credentials. */
   class ConstantStringSource extends Source, DataFlow::ValueNode {
     override ConstantString astNode;
+
+    ConstantStringSource() {
+      not astNode.getStringValue() = ""
+    }
   }
 
   /**
@@ -37,11 +41,6 @@ module HardcodedCredentials {
   class DefaultCredentialsSink extends Sink, DataFlow::ValueNode {
     override CredentialsExpr astNode;
 
-    DefaultCredentialsSink() {
-      // Don't flag an empty user name
-      not (astNode.getCredentialsKind() = "user name" and astNode.getStringValue() = "")
-    }
-
     override string getKind() { result = astNode.getCredentialsKind() }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -144,3 +144,14 @@
         }
     });
 })();
+
+(function(){
+    var request = require('request');
+    let pass = getPassword() || '';
+    request.get(url, { // OK
+        'auth': {
+            'user': process.env.USER || '',
+            'pass': pass,
+        }
+    });
+})();
