Added ability to detect direct write to global AWS.config

Napalys · Napalys · commit f69037c176c3 · 2025-04-28T14:00:12.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/AWS.qll b/javascript/ql/lib/semmle/javascript/frameworks/AWS.qll
@@ -41,6 +41,19 @@ module AWS {
       getAWSImport().getMember(getAWSServiceName()).getAnInstantiation().getReturn().asSource()
   }
 
+  /**
+   * Gets a node representing the AWS global config object.
+   */
+  private API::Node getAWSConfig() { result = getAWSImport().getMember("config") }
+
+  /**
+   * Gets a property write to the AWS config object.
+   * This captures assignments to AWS.config properties.
+   */
+  private DataFlow::PropWrite configAssigment() {
+    result = getAWSConfig().asSource().getAPropertyWrite()
+  }
+
   /**
    * Holds if the `i`th argument of `invk` is an object hash for `AWS.Config`.
    */
@@ -82,6 +95,20 @@ module AWS {
         or
         prop = "secretAccessKey" and kind = "password"
       )
+      or
+      // `AWS.config.accessKeyId = <user>` or `AWS.config.secretAccessKey = <password>`
+      exists(string prop, DataFlow::PropWrite propWrite |
+        propWrite = configAssigment() and
+        this = propWrite.getRhs() and
+        prop = propWrite.getPropertyName() and
+        (
+          kind = "user name" and
+          prop = "accessKeyId"
+          or
+          kind = "password" and
+          prop = "secretAccessKey"
+        )
+      )
     }
 
     override string getCredentialsKind() { result = kind }
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -161,6 +161,8 @@
 | HardcodedCredentials.js:506:41:506:51 | "AccessID1" | HardcodedCredentials.js:506:41:506:51 | "AccessID1" | HardcodedCredentials.js:506:41:506:51 | "AccessID1" | The hard-coded value "AccessID1" is used as $@. | HardcodedCredentials.js:506:41:506:51 | "AccessID1" | user name |
 | HardcodedCredentials.js:507:43:507:53 | "AccessID1" | HardcodedCredentials.js:507:43:507:53 | "AccessID1" | HardcodedCredentials.js:507:43:507:53 | "AccessID1" | The hard-coded value "AccessID1" is used as $@. | HardcodedCredentials.js:507:43:507:53 | "AccessID1" | user name |
 | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | The hard-coded value "AccessID1" is used as $@. | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | user name |
+| HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | The hard-coded value "SOMEACCESSKEY" is used as $@. | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | user name |
+| HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | password |
 | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | The hard-coded value "SOMEACCESSKEY" is used as $@. | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | user name |
 | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | password |
 | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | user name |
@@ -557,6 +559,8 @@ nodes
 | HardcodedCredentials.js:507:73:507:89 | "NotSoSecretKey1" | semmle.label | "NotSoSecretKey1" |
 | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | semmle.label | "AccessID1" |
 | HardcodedCredentials.js:508:93:508:109 | "NotSoSecretKey1" | semmle.label | "NotSoSecretKey1" |
+| HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | semmle.label | "SOMEACCESSKEY" |
+| HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | semmle.label | "hgfedcba" |
 | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | semmle.label | "SOMEACCESSKEY" |
 | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | semmle.label | "hgfedcba" |
 | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | semmle.label | 'dbuser' |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
@@ -507,8 +507,8 @@
     const swf = new AWS.SWF({accessKeyId: "AccessID1", secretAccessKey: "NotSoSecretKey1"}); // $ Alert
     const stepfunctions = new AWS.StepFunctions({accessKeyId: "AccessID1", secretAccessKey: "NotSoSecretKey1"}); // $ Alert
 
-    AWS.config.accessKeyId = "SOMEACCESSKEY"; // $ MISSING: Alert
-    AWS.config.secretAccessKey = "hgfedcba"; // $ MISSING: Alert
+    AWS.config.accessKeyId = "SOMEACCESSKEY"; // $ Alert
+    AWS.config.secretAccessKey = "hgfedcba"; // $ Alert
     
     const creds = new AWS.Credentials(
         "SOMEACCESSKEY", // $ MISSING: Alert
