Merge pull request #13501 from adrienpessu/main

JS: Add another example the Hardcoded credential help

Author: erik-krogh

javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp

@@ -21,6 +21,23 @@
 </p>
 </recommendation>
 
+<example>
+  <p>
+    The following code example connects to an HTTP request using an hard-codes authentication header: 
+  </p>
+
+  <sample src="examples/HardcodedCredentialsHttpRequest.js"/>
+
+  <p>
+    Instead, user name and password can be supplied through the environment variables
+    <code>username</code> and <code>password</code>, which can be set externally without hard-coding
+    credentials in the source code.
+  </p>
+
+  <sample src="examples/HardcodedCredentialsHttpRequestFixed.js"/>
+
+</example>
+
 <example>
   <p>
     The following code example connects to a Postgres database using the <code>pg</code> package

javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequest.js

@@ -0,0 +1,18 @@
+let base64 = require('base-64');
+
+let url = 'http://example.org/auth';
+let username = 'user';
+let password = 'passwd';
+
+let headers = new Headers();
+
+headers.append('Content-Type', 'text/json');
+headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));
+
+fetch(url, {
+          method:'GET',
+          headers: headers
+       })
+.then(response => response.json())
+.then(json => console.log(json))
+.done();

javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequestFixed.js

@@ -0,0 +1,18 @@
+let base64 = require('base-64');
+
+let url = 'http://example.org/auth';
+let username = process.env.USERNAME;
+let password = process.env.PASSWORD;
+
+let headers = new Headers();
+
+headers.append('Content-Type', 'text/json');
+headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));
+
+fetch(url, {
+        method:'GET',
+        headers: headers
+     })
+.then(response => response.json())
+.then(json => console.log(json))
+.done();