test the change to hardcoded-credentials

erik-krogh · erik-krogh · commit b209fc67cbdd · 2024-05-03T19:34:18.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -153,12 +153,12 @@ nodes
 | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
 | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
 | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' |
+| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
+| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
+| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
+| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
+| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
+| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
 | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
 | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
 | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
@@ -271,6 +271,9 @@ nodes
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
+| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
+| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
+| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -326,8 +329,8 @@ edges
 | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' |
 | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' |
 | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' |
+| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" |
+| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' |
 | HardcodedCredentials.js:164:35:164:45 | 'change_me' | HardcodedCredentials.js:164:35:164:45 | 'change_me' |
 | HardcodedCredentials.js:171:11:171:25 | USER | HardcodedCredentials.js:173:35:173:38 | USER |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:11:171:25 | USER |
@@ -399,6 +402,7 @@ edges
 | HardcodedCredentials.js:293:37:293:65 | `Basic  ... xxxxxx` | HardcodedCredentials.js:293:37:293:65 | `Basic  ... xxxxxx` |
 | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic  ... gbbbbb` |
 | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` | HardcodedCredentials.js:295:37:295:66 | `Basic  ... 000001` |
+| HardcodedCredentials.js:299:44:299:52 | 'mytoken' | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -448,8 +452,8 @@ edges
 | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:130:44:130:53 | 'hgfedcba' | key |
 | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:131:52:131:61 | 'hgfedcba' | key |
 | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:135:41:135:50 | "hgfedcba" | key |
-| HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | HardcodedCredentials.js:160:38:160:48 | "change_me" | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:160:38:160:48 | "change_me" | key |
-| HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | HardcodedCredentials.js:161:41:161:51 | 'change_me' | The hard-coded value "change_me" is used as $@. | HardcodedCredentials.js:161:41:161:51 | 'change_me' | key |
+| HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | The hard-coded value "oiuneawrgiyubaegr" is used as $@. | HardcodedCredentials.js:160:38:160:56 | "oiuneawrgiyubaegr" | key |
+| HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | The hard-coded value "oiuneawrgiyubaegr" is used as $@. | HardcodedCredentials.js:161:41:161:59 | 'oiuneawrgiyubaegr' | key |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:178:30:178:44 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:188:30:188:44 | `Basic ${AUTH}` | authorization header |
 | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:171:18:171:25 | 'sdsdag' | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | The hard-coded value "sdsdag" is used as $@. | HardcodedCredentials.js:195:37:195:51 | `Basic ${AUTH}` | authorization header |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -157,8 +157,8 @@
 })();
 
 (function(){
-	require("cookie-session")({ secret: "change_me" }); // NOT OK
-	require('crypto').createHmac('sha256', 'change_me'); // NOT OK
+	require("cookie-session")({ secret: "oiuneawrgiyubaegr" }); // NOT OK
+	require('crypto').createHmac('sha256', 'oiuneawrgiyubaegr'); // NOT OK
 
 	var basicAuth = require('express-basic-auth');
 	basicAuth({users: { [adminName]: 'change_me' }});  // OK
@@ -294,3 +294,7 @@
     headers.append("Authorization", `Basic sdsdag:aaaiuogrweuibgbbbbb`); // NOT OK
     headers.append("Authorization", `Basic sdsdag:000000000000001`); // OK
 });
+
+(function () {
+    require('crypto').createHmac('sha256', 'mytoken'); // OK
+})();
