Skip to content

Commit f36eafc

Browse files
authored
Merge pull request #1246 from xiemaisi/js/hardcoded-password
Approved by asger-semmle
2 parents 09d0548 + 1d5bb97 commit f36eafc

File tree

3 files changed

+11
-1
lines changed

3 files changed

+11
-1
lines changed

change-notes/1.21/analysis-javascript.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@
3131
| Expression has no effect | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
3232
| Incomplete regular expression for hostnames | More results | This rule now tracks regular expressions for host names further. |
3333
| Incomplete string escaping or encoding | More results | This rule now considers the flow of regular expressions literals. |
34+
| Password in configuration file | Fewer false positive results | This query now excludes passwords that are inserted into the configuration file using a templating mechanism. |
3435
| Replacement of a substring with itself | More results | This rule now considers the flow of regular expressions literals. |
3536
| Server-side URL redirect | Fewer false-positive results | This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
3637
| Type confusion through parameter tampering | Fewer false-positive results | This rule now recognizes additional emptiness checks. |

javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,11 +45,14 @@ from string key, string val, Locatable valElement
4545
where
4646
config(key, val, valElement) and
4747
val != "" and
48+
// exclude possible templates
49+
not val.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
4850
(
4951
key.toLowerCase() = "password"
5052
or
5153
key.toLowerCase() != "readme" and
52-
val.regexpMatch("(?is).*password\\s*=(?!\\s*;).*")
54+
// look for `password=...`, but exclude `password=;` and `password="$(...)"`
55+
val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`]).*")
5356
) and
5457
not exclude(valElement.getFile())
5558
select valElement, "Avoid plaintext passwords in configuration files."
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
steps:
2+
- script: |
3+
PASSWORD="$(PASSWORD)" npm install
4+
OTHER_PASSWORD=`get password` yarn install
5+
username: <%= ENV['USERNAME'] %>
6+
password: <%= ENV['PASSWORD'] %>

0 commit comments

Comments
 (0)