Skip to content

Commit 42d5b80

Browse files
NapalysNapalys
committed
Added support for AWS.Credentials hardcoded credentials
1 parent f69037c commit 42d5b80

File tree

3 files changed

+25
-2
lines changed

3 files changed

+25
-2
lines changed

javascript/ql/lib/semmle/javascript/frameworks/AWS.qll

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,13 @@ module AWS {
5454
result = getAWSConfig().asSource().getAPropertyWrite()
5555
}
5656

57+
/**
58+
* Gets a data flow node representing an instance of `new AWS.Credentials(accessKeyId, secretAccessKey)`.
59+
*/
60+
private DataFlow::Node getCredentialsCreationNode() {
61+
result = getAWSImport().getMember("Credentials").getAnInstantiation().getReturn().asSource()
62+
}
63+
5764
/**
5865
* Holds if the `i`th argument of `invk` is an object hash for `AWS.Config`.
5966
*/
@@ -109,6 +116,18 @@ module AWS {
109116
prop = "secretAccessKey"
110117
)
111118
)
119+
or
120+
// `new AWS.Credentials({ accessKeyId: <user>, secretAccessKey: <password> })`
121+
exists(DataFlow::InvokeNode invk |
122+
invk = getCredentialsCreationNode() and
123+
(
124+
this = invk.getArgument(0) and
125+
kind = "user name"
126+
or
127+
this = invk.getArgument(1) and
128+
kind = "password"
129+
)
130+
)
112131
}
113132

114133
override string getCredentialsKind() { result = kind }

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -163,6 +163,8 @@
163163
| HardcodedCredentials.js:508:63:508:73 | "AccessID1" | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | The hard-coded value "AccessID1" is used as $@. | HardcodedCredentials.js:508:63:508:73 | "AccessID1" | user name |
164164
| HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | The hard-coded value "SOMEACCESSKEY" is used as $@. | HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | user name |
165165
| HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | password |
166+
| HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | The hard-coded value "SOMEACCESSKEY" is used as $@. | HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | user name |
167+
| HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | password |
166168
| HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | The hard-coded value "SOMEACCESSKEY" is used as $@. | HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | user name |
167169
| HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | The hard-coded value "hgfedcba" is used as $@. | HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | password |
168170
| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | The hard-coded value "dbuser" is used as $@. | __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | user name |
@@ -561,6 +563,8 @@ nodes
561563
| HardcodedCredentials.js:508:93:508:109 | "NotSoSecretKey1" | semmle.label | "NotSoSecretKey1" |
562564
| HardcodedCredentials.js:510:30:510:44 | "SOMEACCESSKEY" | semmle.label | "SOMEACCESSKEY" |
563565
| HardcodedCredentials.js:511:34:511:43 | "hgfedcba" | semmle.label | "hgfedcba" |
566+
| HardcodedCredentials.js:514:9:514:23 | "SOMEACCESSKEY" | semmle.label | "SOMEACCESSKEY" |
567+
| HardcodedCredentials.js:515:9:515:18 | "hgfedcba" | semmle.label | "hgfedcba" |
564568
| HardcodedCredentials.js:520:20:520:34 | "SOMEACCESSKEY" | semmle.label | "SOMEACCESSKEY" |
565569
| HardcodedCredentials.js:521:24:521:33 | "hgfedcba" | semmle.label | "hgfedcba" |
566570
| __tests__/HardcodedCredentialsDemo.js:5:15:5:22 | 'dbuser' | semmle.label | 'dbuser' |

javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -511,8 +511,8 @@
511511
AWS.config.secretAccessKey = "hgfedcba"; // $ Alert
512512

513513
const creds = new AWS.Credentials(
514-
"SOMEACCESSKEY", // $ MISSING: Alert
515-
"hgfedcba" // $ MISSING: Alert
514+
"SOMEACCESSKEY", // $ Alert
515+
"hgfedcba" // $ Alert
516516
);
517517
AWS.config.setCredentials(creds);
518518

0 commit comments

Comments
 (0)