normalize auth-headers to lowercase

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/SensitiveActions.qll

@@ -197,22 +197,22 @@ module PasswordHeuristics {
     isDummyPassword(header)
     or
     exists(string prefix, string suffix | prefix = getAnHTTPAuthenticationScheme() |
-      header = prefix + " " + suffix and
+      header.toLowerCase() = prefix + " " + suffix and
       isDummyPassword(suffix)
     )
     or
-    header.trim() = getAnHTTPAuthenticationScheme()
+    header.trim().toLowerCase() = getAnHTTPAuthenticationScheme()
   }
 
   /**
-   * Gets a HTTP authentication scheme.
+   * Gets a HTTP authentication scheme normalized to lowercase.
    * From this list: https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
    */
   private string getAnHTTPAuthenticationScheme() {
     result =
       [
         "Basic", "Bearer", "Digest", "HOBA", "Mutual", "Negotiate", "OAuth", "SCRAM-SHA-1",
         "SCRAM-SHA-256", "vapid"
-      ]
+      ].toLowerCase()
   }
 }