remove some FPs in js/password-in-configuration-file

erik-krogh · erik-krogh · commit 0f9b4334ccb4 · 2022-10-26T11:51:56.000+02:00
diff --git a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -27,9 +27,9 @@ where
     not val.regexpMatch("\\$.*|%.*%") and
     not PasswordHeuristics::isDummyPassword(val)
     or
-    key.toLowerCase() != "readme" and
-    // look for `password=...`, but exclude `password=;`, `password="$(...)"`,
+    not key.toLowerCase() = ["readme", "run"] and
+    // look for `password=...`, but exclude `password=;`, `password="$(...)"`, `password=foo()`
     // `password=%s` and `password==`
-    pwd = val.regexpCapture("(?is).*password\\s*=\\s*(?!;|\"?[$`]|%s|=)(\\S+).*", 1)
+    pwd = val.regexpCapture("(?is).*password\\s*=\\s*(?!;|\"?[$`]|%s|=|\\w+\\(.+\\))(\\S+).*", 1)
   )
 select valElement.(FirstLineOf), "Hard-coded password '" + pwd + "' in configuration file."
diff --git a/javascript/ql/test/query-tests/Security/CWE-313/tst.yml b/javascript/ql/test/query-tests/Security/CWE-313/tst.yml
@@ -5,3 +5,8 @@ steps:
 username: <%= ENV['USERNAME'] %>
 password: <%= ENV['PASSWORD'] %>
 password: change_me
+query:
+- run : |
+    printf("This is some scripting")
+    password = os.env['PASSWORD']
+password: foo("blab")
