Skip to content

Commit cdc788b

Browse files
alexrfordalexrford
committed
Ruby: configsig rb/hardcoded-credentials
1 parent 4d1684e commit cdc788b

File tree

2 files changed

+18
-11
lines changed

2 files changed

+18
-11
lines changed

ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@
1414

1515
import codeql.ruby.AST
1616
import codeql.ruby.DataFlow
17-
import DataFlow::PathGraph
1817
import codeql.ruby.TaintTracking
1918
import codeql.ruby.controlflow.CfgNodes
2019

@@ -132,14 +131,12 @@ class CredentialSink extends DataFlow::Node {
132131
CredentialSink() { isCredentialSink(this) }
133132
}
134133

135-
class HardcodedCredentialsConfiguration extends DataFlow::Configuration {
136-
HardcodedCredentialsConfiguration() { this = "HardcodedCredentialsConfiguration" }
134+
private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
135+
predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
137136

138-
override predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }
137+
predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
139138

140-
override predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
141-
142-
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
139+
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
143140
exists(ExprNodes::BinaryOperationCfgNode binop |
144141
(
145142
binop.getLeftOperand() = node1.asExpr() or
@@ -152,7 +149,11 @@ class HardcodedCredentialsConfiguration extends DataFlow::Configuration {
152149
}
153150
}
154151

155-
from DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialsConfiguration conf
156-
where conf.hasFlowPath(source, sink)
152+
private module HardcodedCredentialsFlow = DataFlow::Global<HardcodedCredentialsConfig>;
153+
154+
private import HardcodedCredentialsFlow::PathGraph
155+
156+
from HardcodedCredentialsFlow::PathNode source, HardcodedCredentialsFlow::PathNode sink
157+
where HardcodedCredentialsFlow::flowPath(source, sink)
157158
select source.getNode(), source, sink, "This hardcoded value is $@.", sink.getNode(),
158159
"used as credentials"

ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,14 @@ edges
33
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:1:33:1:36 | cert |
44
| HardcodedCredentials.rb:18:19:18:72 | ... + ... | HardcodedCredentials.rb:1:23:1:30 | password |
55
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:19:18:72 | ... + ... |
6-
| HardcodedCredentials.rb:20:1:20:7 | pw_left | HardcodedCredentials.rb:22:1:22:2 | pw |
6+
| HardcodedCredentials.rb:20:1:20:7 | pw_left | HardcodedCredentials.rb:22:6:22:12 | pw_left |
77
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:1:20:7 | pw_left |
8-
| HardcodedCredentials.rb:21:1:21:8 | pw_right | HardcodedCredentials.rb:22:1:22:2 | pw |
8+
| HardcodedCredentials.rb:21:1:21:8 | pw_right | HardcodedCredentials.rb:22:16:22:23 | pw_right |
99
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:1:21:8 | pw_right |
1010
| HardcodedCredentials.rb:22:1:22:2 | pw | HardcodedCredentials.rb:23:19:23:20 | pw |
11+
| HardcodedCredentials.rb:22:6:22:12 | pw_left | HardcodedCredentials.rb:22:6:22:23 | ... + ... |
12+
| HardcodedCredentials.rb:22:6:22:23 | ... + ... | HardcodedCredentials.rb:22:1:22:2 | pw |
13+
| HardcodedCredentials.rb:22:16:22:23 | pw_right | HardcodedCredentials.rb:22:6:22:23 | ... + ... |
1114
| HardcodedCredentials.rb:23:19:23:20 | pw | HardcodedCredentials.rb:1:23:1:30 | password |
1215
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:31:18:31:23 | passwd |
1316
| HardcodedCredentials.rb:43:29:43:43 | "[email protected]" | HardcodedCredentials.rb:43:18:43:25 | username |
@@ -27,6 +30,9 @@ nodes
2730
| HardcodedCredentials.rb:21:1:21:8 | pw_right | semmle.label | pw_right |
2831
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | semmle.label | "4fQuzXef4f2yow8KWvIJTA==" |
2932
| HardcodedCredentials.rb:22:1:22:2 | pw | semmle.label | pw |
33+
| HardcodedCredentials.rb:22:6:22:12 | pw_left | semmle.label | pw_left |
34+
| HardcodedCredentials.rb:22:6:22:23 | ... + ... | semmle.label | ... + ... |
35+
| HardcodedCredentials.rb:22:16:22:23 | pw_right | semmle.label | pw_right |
3036
| HardcodedCredentials.rb:23:19:23:20 | pw | semmle.label | pw |
3137
| HardcodedCredentials.rb:31:18:31:23 | passwd | semmle.label | passwd |
3238
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | semmle.label | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." |

0 commit comments

Comments
 (0)