Merge pull request github#16876 from GeekMasher/py-hardcoded-creds-mad

RasmusWL · web-flow · commit 2b2c381bf0ad · 2024-07-01T17:25:13.000+02:00
Python: Add Hardcoded Credentials MaD support
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -18,6 +18,7 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.filters.Tests
 private import semmle.python.dataflow.new.internal.DataFlowDispatch as DataFlowDispatch
 private import semmle.python.dataflow.new.internal.Builtins::Builtins as Builtins
+private import semmle.python.frameworks.data.ModelsAsData
 
 bindingset[char, fraction]
 predicate fewer_characters_than(StringLiteral str, string char, float fraction) {
@@ -80,6 +81,11 @@ class HardcodedValueSource extends DataFlow::Node {
 
 class CredentialSink extends DataFlow::Node {
   CredentialSink() {
+    exists(string s | s.matches("credentials-%") |
+      // Actual sink-type will be things like `credentials-password` or `credentials-username`
+      this = ModelOutput::getASinkNode(s).asSink()
+    )
+    or
     exists(string name |
       name.regexpMatch(getACredentialRegex()) and
       not name.matches("%file")
diff --git a/python/ql/src/change-notes/2024-06-28-cred-hardcoded.md b/python/ql/src/change-notes/2024-06-28-cred-hardcoded.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Adding Python support for Hardcoded Credentials as Models as Data

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Adding Python support for Hardcoded Credentials as Models as Data