update test cases of __tests__/ dir

am0o0 · am0o0 · commit 5a1877547f98 · 2024-07-01T14:50:07.000+02:00
since we want to check if a jwt related sink is in this dir or not
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
@@ -344,6 +344,13 @@ nodes
 | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
 | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:18:21:18:43 | "myHard ... ateKey" |
+| __tests__/HardcodedCredentialsDemo.js:18:21:18:43 | "myHard ... ateKey" |
+| __tests__/HardcodedCredentialsDemo.js:21:24:21:32 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:21:24:21:32 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:28:31:28:39 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:28:31:28:39 | secretKey |
 edges
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' |
@@ -525,6 +532,12 @@ edges
 | HardcodedCredentials.js:414:21:414:43 | "myHard ... ateKey" | HardcodedCredentials.js:414:9:414:43 | secretKey |
 | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' |
 | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' | __tests__/HardcodedCredentialsDemo.js:8:19:8:28 | 'hgfedcba' |
+| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey | __tests__/HardcodedCredentialsDemo.js:21:24:21:32 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey | __tests__/HardcodedCredentialsDemo.js:21:24:21:32 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey | __tests__/HardcodedCredentialsDemo.js:28:31:28:39 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey | __tests__/HardcodedCredentialsDemo.js:28:31:28:39 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:18:21:18:43 | "myHard ... ateKey" | __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey |
+| __tests__/HardcodedCredentialsDemo.js:18:21:18:43 | "myHard ... ateKey" | __tests__/HardcodedCredentialsDemo.js:18:9:18:43 | secretKey |
 #select
 | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | HardcodedCredentials.js:5:15:5:22 | 'dbuser' | user name |
 | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:8:19:8:28 | 'hgfedcba' | password |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/__tests__/HardcodedCredentialsDemo.js b/javascript/ql/test/query-tests/Security/CWE-798/__tests__/HardcodedCredentialsDemo.js
@@ -10,3 +10,24 @@
     });
     client.connect();
 })();
+
+(function () {
+    const JwtStrategy = require('passport-jwt').Strategy;
+    const passport = require('passport')
+
+    var secretKey = "myHardCodedPrivateKey";
+
+    const opts = {}
+    opts.secretOrKey = secretKey; // NOT OK
+    passport.use(new JwtStrategy(opts, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+
+    passport.use(new JwtStrategy({
+        secretOrKeyProvider: function (request, rawJwtToken, done) {
+            return done(null, secretKey) // NOT OK
+        }
+    }, function (jwt_payload, done) {
+        return done(null, false);
+    }));
+})();
