support credentials in a Buffer

erik-krogh · erik-krogh · commit a1940979ba8f · 2020-06-03T12:02:00.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll b/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll
@@ -21,11 +21,17 @@ module HardcodedCredentials {
 
     override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-    override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) { 
+    override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
       exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
       or
       trg.(StringOps::ConcatenationRoot).getALeaf() = src and
       not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
+      or
+      exists(DataFlow::MethodCallNode bufferFrom |
+        bufferFrom = DataFlow::globalVarRef("Buffer").getAMethodCall("from") and
+        trg = bufferFrom and
+        src = bufferFrom.getArgument(0)
+      )
     }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -199,6 +199,15 @@ nodes
 | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
 | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
 | HardcodedCredentials.js:221:46:221:49 | AUTH |
+| HardcodedCredentials.js:231:11:231:29 | username |
+| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' |
+| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' |
+| HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
+| HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
+| HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
+| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
+| HardcodedCredentials.js:237:47:237:54 | username |
+| HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' |
@@ -292,6 +301,14 @@ edges
 | HardcodedCredentials.js:216:43:216:46 | PASS | HardcodedCredentials.js:216:32:216:48 | `${USER}:${PASS}` |
 | HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
 | HardcodedCredentials.js:221:46:221:49 | AUTH | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` |
+| HardcodedCredentials.js:231:11:231:29 | username | HardcodedCredentials.js:237:47:237:54 | username |
+| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:11:231:29 | username |
+| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:11:231:29 | username |
+| HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) | HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') |
+| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
+| HardcodedCredentials.js:237:35:237:91 | Buffer. ... ase64') | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') |
+| HardcodedCredentials.js:237:47:237:54 | username | HardcodedCredentials.js:237:47:237:71 | usernam ... assword |
+| HardcodedCredentials.js:237:47:237:71 | usernam ... assword | HardcodedCredentials.js:237:35:237:72 | Buffer. ... ssword) |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | The hard-coded value "abcdefgh" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'abcdefgh' | password |
@@ -356,3 +373,4 @@ edges
 | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:172:18:172:25 | 'sdsdag' | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:204:35:204:49 | `Basic ${AUTH}` | authorization headers |
 | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:214:18:214:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization headers |
 | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:215:18:215:25 | 'sdsdag' | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:221:37:221:51 | `Basic ${AUTH}` | authorization headers |
+| HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:231:22:231:29 | 'sdsdag' | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:237:24:237:91 | 'Basic  ... ase64') | authorization headers |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -223,4 +223,18 @@
         method: 'get',
         headers: headers
     });
-});
+});
+
+(async function () {
+    import fetch from 'node-fetch';
+
+    const username = 'sdsdag';
+    const password = config.get('some_actually_secrect_password');
+    const response = await fetch(ENDPOINT, {
+      method: 'get',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: 'Basic ' + Buffer.from(username + ':' + password).toString('base64'),
+      },
+    });
+})

Original file line number	Diff line number	Diff line change
`@@ -21,11 +21,17 @@ module HardcodedCredentials {`
`21`	`21`
`22`	`22`	`override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`23`	`23`
`24`		`- override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {`
	`24`	`+ override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {`
`25`	`25`	`exists(Base64::Encode encode \| src = encode.getInput() and trg = encode.getOutput())`
`26`	`26`	`or`
`27`	`27`	`trg.(StringOps::ConcatenationRoot).getALeaf() = src and`
`28`	`28`	not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
	`29`	`+ or`
	`30`	`+ exists(DataFlow::MethodCallNode bufferFrom \|`
	`31`	`+ bufferFrom = DataFlow::globalVarRef("Buffer").getAMethodCall("from") and`
	`32`	`+ trg = bufferFrom and`
	`33`	`+ src = bufferFrom.getArgument(0)`
	`34`	`+ )`
`29`	`35`	`}`
`30`	`36`	`}`
`31`	`37`	`}`