add additional tests

esbena · esbena · commit 78744a0182a2 · 2022-02-16T09:44:56.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -223,6 +223,42 @@ nodes
 | HardcodedCredentials.js:268:39:268:46 | 'Bearer' |
 | HardcodedCredentials.js:268:50:268:56 | 'OAuth' |
 | HardcodedCredentials.js:268:50:268:56 | 'OAuth' |
+| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" |
+| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" |
+| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" |
+| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" |
+| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" |
+| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" |
+| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" |
+| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" |
+| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" |
+| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" |
+| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" |
+| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" |
+| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" |
+| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" |
+| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" |
+| HardcodedCredentials.js:280:36:280:50 | "user:12345678" |
+| HardcodedCredentials.js:280:36:280:50 | "user:12345678" |
+| HardcodedCredentials.js:280:36:280:50 | "user:12345678" |
+| HardcodedCredentials.js:281:36:281:45 | "user:foo" |
+| HardcodedCredentials.js:281:36:281:45 | "user:foo" |
+| HardcodedCredentials.js:281:36:281:45 | "user:foo" |
+| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" |
+| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" |
+| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" |
+| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" |
+| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" |
+| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" |
+| HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
+| HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
+| HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
+| HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
+| HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
+| HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
+| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
+| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
+| HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -335,6 +371,18 @@ edges
 | HardcodedCredentials.js:268:39:268:46 | 'Bearer' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
 | HardcodedCredentials.js:268:50:268:56 | 'OAuth' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
 | HardcodedCredentials.js:268:50:268:56 | 'OAuth' | HardcodedCredentials.js:268:33:268:56 | foo ? ' ... 'OAuth' |
+| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" |
+| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" |
+| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" |
+| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" |
+| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" |
+| HardcodedCredentials.js:280:36:280:50 | "user:12345678" | HardcodedCredentials.js:280:36:280:50 | "user:12345678" |
+| HardcodedCredentials.js:281:36:281:45 | "user:foo" | HardcodedCredentials.js:281:36:281:45 | "user:foo" |
+| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" |
+| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" |
+| HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" |
+| HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" |
+| HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -401,3 +449,15 @@ edges
 | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | authorization header |
 | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
+| HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | The hard-coded value "user:{{ INSERT_HERE }}" is used as $@. | HardcodedCredentials.js:275:36:275:59 | "user:{ ... ERE }}" | credentials |
+| HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | The hard-coded value "user:token {{ INSERT_HERE }}" is used as $@. | HardcodedCredentials.js:276:36:276:65 | "user:t ... ERE }}" | credentials |
+| HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | The hard-coded value "user:( INSERT_HERE )" is used as $@. | HardcodedCredentials.js:277:36:277:57 | "user:( ... HERE )" | credentials |
+| HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | The hard-coded value "user:{{ env.access_token }}" is used as $@. | HardcodedCredentials.js:278:36:278:64 | "user:{ ... ken }}" | credentials |
+| HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | The hard-coded value "user:abcdefgh" is used as $@. | HardcodedCredentials.js:279:36:279:50 | "user:abcdefgh" | credentials |
+| HardcodedCredentials.js:280:36:280:50 | "user:12345678" | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | The hard-coded value "user:12345678" is used as $@. | HardcodedCredentials.js:280:36:280:50 | "user:12345678" | credentials |
+| HardcodedCredentials.js:281:36:281:45 | "user:foo" | HardcodedCredentials.js:281:36:281:45 | "user:foo" | HardcodedCredentials.js:281:36:281:45 | "user:foo" | The hard-coded value "user:foo" is used as $@. | HardcodedCredentials.js:281:36:281:45 | "user:foo" | credentials |
+| HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | The hard-coded value "user:mypassword" is used as $@. | HardcodedCredentials.js:282:36:282:52 | "user:mypassword" | credentials |
+| HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | The hard-coded value "user:mytoken" is used as $@. | HardcodedCredentials.js:283:36:283:49 | "user:mytoken" | credentials |
+| HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | The hard-coded value "user:fake token" is used as $@. | HardcodedCredentials.js:284:36:284:52 | "user:fake token" | credentials |
+| HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | The hard-coded value "user:dcba" is used as $@. | HardcodedCredentials.js:285:36:285:46 | "user:dcba" | credentials |
+| HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | The hard-coded value "user:custom string" is used as $@. | HardcodedCredentials.js:286:36:286:55 | "user:custom string" | credentials |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -269,4 +269,19 @@
             "Content-Type": 'application/json'
         })
     });
+});
+
+(function() {
+    require("http").request({auth: "user:{{ INSERT_HERE }}"}); // OK
+    require("http").request({auth: "user:token {{ INSERT_HERE }}"}); // OK
+    require("http").request({auth: "user:( INSERT_HERE )"}); // OK
+    require("http").request({auth: "user:{{ env.access_token }}"}); // OK
+    require("http").request({auth: "user:abcdefgh"}); // OK
+    require("http").request({auth: "user:12345678"}); // OK
+    require("http").request({auth: "user:foo"}); // OK
+    require("http").request({auth: "user:mypassword"}) // OK
+    require("http").request({auth: "user:mytoken"}) // OK
+    require("http").request({auth: "user:fake token"}) // OK
+    require("http").request({auth: "user:dcba"}) // OK
+    require("http").request({auth: "user:custom string"}) // OK
 });
