Skip to content

Commit 39a8b49

Browse files
erik-krogherik-krogh
committed
add qhelp recommendation that you can use an obvious placeholder value
1 parent b209fc6 commit 39a8b49

File tree

3 files changed

+20
-0
lines changed

3 files changed

+20
-0
lines changed

javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,10 @@
1919
If possible, store configuration files including credential data separately from the source code,
2020
in a secure location with restricted access.
2121
</p>
22+
<p>
23+
If the credentials are a placeholder value, make sure the value is obviously a placeholder by
24+
using a name such as <code>"SampleToken"</code> or <code>"MyPassword"</code>.
25+
</p>
2226
</recommendation>
2327

2428
<example>

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -274,6 +274,15 @@ nodes
274274
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
275275
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
276276
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
277+
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
278+
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
279+
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
280+
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
281+
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
282+
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
283+
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
284+
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
285+
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
277286
edges
278287
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
279288
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -403,6 +412,9 @@ edges
403412
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` |
404413
| HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` | HardcodedCredentials.js:295:37:295:66 | `Basic ... 000001` |
405414
| HardcodedCredentials.js:299:44:299:52 | 'mytoken' | HardcodedCredentials.js:299:44:299:52 | 'mytoken' |
415+
| HardcodedCredentials.js:300:44:300:56 | 'SampleToken' | HardcodedCredentials.js:300:44:300:56 | 'SampleToken' |
416+
| HardcodedCredentials.js:301:44:301:55 | 'MyPassword' | HardcodedCredentials.js:301:44:301:55 | 'MyPassword' |
417+
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' |
406418
#select
407419
| HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
408420
| HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -468,3 +480,4 @@ edges
468480
| HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:245:22:245:44 | "myHard ... ateKey" | HardcodedCredentials.js:246:42:246:51 | privateKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:246:42:246:51 | privateKey | key |
469481
| HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | The hard-coded value "Basic sdsdag:sdsdag" is used as $@. | HardcodedCredentials.js:292:37:292:57 | `Basic ... sdsdag` | authorization header |
470482
| HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | The hard-coded value "Basic sdsdag:aaaiuogrweuibgbbbbb" is used as $@. | HardcodedCredentials.js:294:37:294:70 | `Basic ... gbbbbb` | authorization header |
483+
| HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | The hard-coded value "iubfewiaaweiybgaeuybgera" is used as $@. | HardcodedCredentials.js:302:44:302:69 | 'iubfew ... ybgera' | key |

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -297,4 +297,7 @@
297297

298298
(function () {
299299
require('crypto').createHmac('sha256', 'mytoken'); // OK
300+
require('crypto').createHmac('sha256', 'SampleToken'); // OK
301+
require('crypto').createHmac('sha256', 'MyPassword'); // OK
302+
require('crypto').createHmac('sha256', 'iubfewiaaweiybgaeuybgera'); // NOT OK
300303
})();

0 commit comments

Comments
 (0)