codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

JS: Extends CredentialsNode class mostly related to JWT authentication packages

Open am0o0 opened this issue 2 years ago • 3 comments

am0o0 avatar Nov 02 '23 15:11 am0o0

I only included the new where condition on sinks because the constant hardcoded creds can be loaded from a test or example directory. However, the sink using these hardcoded creds should not be in a test or example directory.

am0o0 avatar Jun 06 '24 12:06 am0o0

I only included the new where condition on sinks because the constant hardcoded creds can be loaded from a test or example directory. However, the sink using these hardcoded creds should not be in a test or example directory.

Can you try to use ClassifyFiles.qll instead? I know those heuristics probably don't match exactly what you're looking for, but those can be improved later.
(I very much suggest that you don't look into that now, but do that in a later PR if needed, just to keep the scope of this PR low).

If you don't want to do that, then an option is to move your contributions into the experimental folder.

Note: The performance issue I mentioned previously is definitely gone with the filter in the where part of the query.

erik-krogh avatar Jun 06 '24 18:06 erik-krogh

@erik-krogh if the changes are not good and it is better to move my changes to experimental please let me know.

am0o0 avatar Jun 25 '24 06:06 am0o0

The autoformatter checks are failing on javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql and javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll.
You can use codeql query format -i <paths-to-files> to run the autoformatter.

erik-krogh avatar Aug 05 '24 12:08 erik-krogh

There is still javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql, it's still failing the autoformatter checks.

erik-krogh avatar Aug 05 '24 12:08 erik-krogh