Merge pull request #1246 from xiemaisi/js/hardcoded-password

semmle-qlci · web-flow · commit f36eafce3ff7 · 2019-04-17T08:54:09.000+01:00
Approved by asger-semmle
diff --git a/change-notes/1.21/analysis-javascript.md b/change-notes/1.21/analysis-javascript.md
@@ -31,6 +31,7 @@
 | Expression has no effect       | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
 | Incomplete regular expression for hostnames | More results | This rule now tracks regular expressions for host names further. |
 | Incomplete string escaping or encoding | More results | This rule now considers the flow of regular expressions literals. |
+| Password in configuration file | Fewer false positive results | This query now excludes passwords that are inserted into the configuration file using a templating mechanism. |
 | Replacement of a substring with itself | More results | This rule now considers the flow of regular expressions literals. |
 | Server-side URL redirect       | Fewer false-positive results | This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
 | Type confusion through parameter tampering | Fewer false-positive results | This rule now recognizes additional emptiness checks. |
diff --git a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -45,11 +45,14 @@ from string key, string val, Locatable valElement
 where
   config(key, val, valElement) and
   val != "" and
+  // exclude possible templates
+  not val.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
   (
     key.toLowerCase() = "password"
     or
     key.toLowerCase() != "readme" and
-    val.regexpMatch("(?is).*password\\s*=(?!\\s*;).*")
+    // look for `password=...`, but exclude `password=;` and `password="$(...)"`
+    val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`]).*")
   ) and
   not exclude(valElement.getFile())
 select valElement, "Avoid plaintext passwords in configuration files."
diff --git a/javascript/ql/test/query-tests/Security/CWE-313/tst.yml b/javascript/ql/test/query-tests/Security/CWE-313/tst.yml
@@ -0,0 +1,6 @@
+steps:
+- script: |
+    PASSWORD="$(PASSWORD)" npm install
+    OTHER_PASSWORD=`get password` yarn install
+username: <%= ENV['USERNAME'] %>
+password: <%= ENV['PASSWORD'] %>
