apply changes from @erik-krogh

Author: am0o0

javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll

@@ -4,6 +4,7 @@
  * own.
  */
 
+import semmle.javascript.filters.ClassifyFiles
 import javascript
 private import semmle.javascript.security.SensitiveActions
 
@@ -38,5 +39,9 @@ module HardcodedCredentials {
    */
   class DefaultCredentialsSink extends Sink instanceof CredentialsNode {
     override string getKind() { result = super.getCredentialsKind() }
+
+    DefaultCredentialsSink() {
+      not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
+    }
   }
-}
+}

javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -16,50 +16,30 @@
 import javascript
 import semmle.javascript.security.dataflow.HardcodedCredentialsQuery
 import DataFlow::PathGraph
-import semmle.javascript.filters.ClassifyFiles
 
 bindingset[s]
 predicate looksLikeATemplate(string s) { s.regexpMatch(".*((\\{\\{.*\\}\\})|(<.*>)|(\\(.*\\))).*") }
 
-predicate updateMessageWithSourceValue(string value, DataFlow::Node source, DataFlow::Node sink) {
-  exists(string val | val = source.getStringValue() |
-    // exclude dummy passwords and templates
-    not (
-      sink.(Sink).(DefaultCredentialsSink).getKind() = ["password", "credentials", "token", "key"] and
-      PasswordHeuristics::isDummyPassword(val)
-      or
-      sink.(Sink).getKind() = "authorization header" and
-      PasswordHeuristics::isDummyAuthHeader(val)
-      or
-      looksLikeATemplate(val)
-    ) and
-    value = "The hard-coded value \"" + val + "\""
-  )
-}
-
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
 where
   cfg.hasFlowPath(source, sink) and
-  // sink kind is "jwt key" and source is constant string
-  if
-    sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
-    // use source value in message if it's available
-    source.getNode().asExpr() instanceof ConstantString
+  // use source value in message if it's available
+  if source.getNode().asExpr() instanceof ConstantString
   then
-    not isTestFile(sink.getNode().getFile()) and
-    updateMessageWithSourceValue(value, source.getNode(), sink.getNode())
-  else
-    // sink kind is "jwt key" and source is not constant string
-    if
-      sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
-      not source.getNode().asExpr() instanceof ConstantString
-    then not isTestFile(sink.getNode().getFile()) and value = "This hard-coded value"
-    else
-      // sink kind is not "jwt key" and source is  constant string
-      if
-        not sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and
-        source.getNode().asExpr() instanceof ConstantString
-      then updateMessageWithSourceValue(value, source.getNode(), sink.getNode())
-      else value = "This hard-coded value"
+    exists(string val | val = source.getNode().getStringValue() |
+      // exclude dummy passwords and templates
+      not (
+        sink.getNode().(Sink).(DefaultCredentialsSink).getKind() =
+          ["password", "credentials", "token", "key"] and
+        PasswordHeuristics::isDummyPassword(val)
+        or
+        sink.getNode().(Sink).getKind() = "authorization header" and
+        PasswordHeuristics::isDummyAuthHeader(val)
+        or
+        looksLikeATemplate(val)
+      ) and
+      value = "The hard-coded value \"" + val + "\""
+    )
+  else value = "This hard-coded value"
 select source.getNode(), source, sink, value + " is used as $@.", sink.getNode(),
-  sink.getNode().(Sink).getKind()
+  sink.getNode().(Sink).getKind()

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

@@ -344,13 +344,6 @@ nodes
 | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
-| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:18:21:18:43 | "myHard ... ateKey" |
-| __tests__/HardcodedCredentialsDemo.js:18:21:18:43 | "myHard ... ateKey" |
-| __tests__/HardcodedCredentialsDemo.js:21:24:21:32 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:21:24:21:32 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:28:31:28:39 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:28:31:28:39 | secretKey |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -532,12 +525,6 @@ edges
 | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:9:414:43 | secretKey |
 | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
 | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
-| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey | __tests__/HardcodedCredentialsDemo.js:21:24:21:32 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey | __tests__/HardcodedCredentialsDemo.js:21:24:21:32 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey | __tests__/HardcodedCredentialsDemo.js:28:31:28:39 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey | __tests__/HardcodedCredentialsDemo.js:28:31:28:39 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:18:21:18:43 | "myHard ... ateKey" | __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey |
-| __tests__/HardcodedCredentialsDemo.js:18:21:18:43 | "myHard ... ateKey" | __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
@@ -616,4 +603,4 @@ edges
 | HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:396:21:396:43 | "myHard ... ateKey" | HardcodedCredentials.js:399:17:399:25 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:399:17:399:25 | secretKey | jwt key |
 | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:416:27:416:35 | secretKey | The hard-coded value "myHardCodedPrivateKey" is used as $@. | HardcodedCredentials.js:416:27:416:35 | secretKey | jwt key |
 | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | user name |
-| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | password |
+| __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | password |