Skip to content

JavaScript: PasswordInConfigurationFile tweaks #1402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
semmle-qlci merged 3 commits into from
Jun 5, 2019
Merged

JavaScript: PasswordInConfigurationFile tweaks #1402

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a487627
JavaScript: Tweak `PasswordInConfigurationFile` alerts.
Jun 4, 2019
d723ab7
JavaScript: Fix `getDelimiterMatchingRegexp` to work on multi-line st…
Jun 4, 2019
d233cea
JavaScript: Lower precision of `PasswordInConfigurationFile`.
Jun 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion change-notes/1.21/analysis-javascript.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
| Expression has no effect | Fewer false-positive results | This rule now treats uses of `Object.defineProperty` more conservatively. |
| Incomplete regular expression for hostnames | More results | This rule now tracks regular expressions for host names further. |
| Incomplete string escaping or encoding | More results | This rule now considers the flow of regular expressions literals, and it no longer flags the removal of trailing newlines. |
| Password in configuration file | Fewer false positive results | This query now excludes passwords that are inserted into the configuration file using a templating mechanism or read from environment variables. |
| Password in configuration file | Fewer false positive results | This query now excludes passwords that are inserted into the configuration file using a templating mechanism or read from environment variables. Results are no longer shown on LGTM by default. |
| Replacement of a substring with itself | More results | This rule now considers the flow of regular expressions literals. |
| Server-side URL redirect | Fewer false-positive results | This rule now treats URLs as safe in more cases where the hostname cannot be tampered with. |
| Type confusion through parameter tampering | Fewer false-positive results | This rule now recognizes additional emptiness checks. |
Expand Down
10 changes: 6 additions & 4 deletions javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
* @description Storing unencrypted passwords in configuration files is unsafe.
* @kind problem
* @problem.severity warning
* @precision high
* @precision medium
* @id js/password-in-configuration-file
* @tags security
* external/cwe/cwe-256
Expand All @@ -12,6 +12,7 @@
*/

import javascript
import semmle.javascript.RestrictedLocations

/**
* Holds if some JSON or YAML file contains a property with name `key`
Expand Down Expand Up @@ -45,21 +46,22 @@ predicate exclude(File f) {
f.getExtension().toLowerCase() = "raml"
}

from string key, string val, Locatable valElement
from string key, string val, Locatable valElement, string pwd
where
config(key, val, valElement) and
val != "" and
// exclude possible templates
not val.regexpMatch(Templating::getDelimiterMatchingRegexp()) and
(
key.toLowerCase() = "password" and
pwd = val and
// exclude interpolations of environment variables
not val.regexpMatch("\\$.*|%.*%")
or
key.toLowerCase() != "readme" and
// look for `password=...`, but exclude `password=;`, `password="$(...)"`,
// `password=%s` and `password==`
val.regexpMatch("(?is).*password\\s*=(?!\\s*;)(?!\"?[$`])(?!%s)(?!=).*")
pwd = val.regexpCapture("(?is).*password\\s*=\\s*(?!;|\"?[$`]|%s|=)(\\S+).*", 1)
) and
not exclude(valElement.getFile())
select valElement, "Avoid plaintext passwords in configuration files."
select (FirstLineOf)valElement, "Hard-coded password '" + pwd + "' in configuration file."
2 changes: 1 addition & 1 deletion javascript/ql/src/semmle/javascript/frameworks/Templating.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,6 @@ module Templating {
* storing it in its first (and only) capture group.
*/
string getDelimiterMatchingRegexp() {
result = ".*(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
result = "(?s).*(" + concat("\\Q" + getADelimiter() + "\\E", "|") + ").*"
}
}
5 changes: 3 additions & 2 deletions javascript/ql/test/query-tests/Security/CWE-313/PasswordInConfigurationFile.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
| mysql-config.json:4:16:4:23 | "secret" | Avoid plaintext passwords in configuration files. |
| tst4.json:2:10:2:38 | "script ... ecret'" | Avoid plaintext passwords in configuration files. |
| mysql-config.json:4:16:4:23 | "secret" | Hard-coded password 'secret' in configuration file. |
| tst4.json:2:10:2:38 | "script ... ecret'" | Hard-coded password ''secret'' in configuration file. |
| tst7.yml:2:9:2:6 | \| | Hard-coded password 'abc' in configuration file. |
6 changes: 6 additions & 0 deletions javascript/ql/test/query-tests/Security/CWE-313/tst7.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,7 @@
password: $$SOME_VAR
config: |
[mail]
host = smtp.mydomain.com
port = 25
username = sample_admin@mydomain.com
password = abc
6 changes: 6 additions & 0 deletions javascript/ql/test/query-tests/Security/CWE-313/tst8.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
config: |
[mail]
host = smtp.mydomain.com
port = 25
username = {{username}}
password = {{pwd}}