-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JS: Extends CredentialsNode class mostly related to JWT authentication packages #14666
base: main
Are you sure you want to change the base?
Conversation
… results now, ConstantString is suggested as a better alternative for finding constant sources
add new additional global taint and dataflow steps update tests of CWE-798 add a new sanitizer for `semmle.javascript.security.dataflow.HardcodedCredentialsQuery`
this.getFile() | ||
.getLocation() | ||
.hasLocationInfo(any(string s | | ||
s.regexpMatch(["/.*test[.].*", "/.*demo[.].*", "/.*example[.].*", "/.*sample[.].*"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if this should be added as a sanitizer on this level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please tell me where I should put this sanitizer because I encountered a lot of FPs before applying it so I must use it but don't know exactly where.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's wait for the CodeQL team to review it. But I fear if it adds a lot of FP's without this sanitizer it might not be perfectly suited as addition for this prod query.
On the other hand: excluding test files for less FP's might help to reduce FP's for the hardcoded-credentials
query as a whole.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two things.
- This shouldn't be added as a sanitizer, instead you should probably add a condition in the
where
statement in the.ql
file. - Use the
isTestFile
predicate fromClassifyFiles.qll
instead.
The performance is this current sanitizer is terrible on some large projects, so this definitely cannot be merged as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea seems OK.
I haven't looked through the models yet, but I did run a small internal evaluation on them, and that looked OK.
But first there is a problem with the sanitizer.
I'll take a closer look at the models once that's resolved.
this.getFile() | ||
.getLocation() | ||
.hasLocationInfo(any(string s | | ||
s.regexpMatch(["/.*test[.].*", "/.*demo[.].*", "/.*example[.].*", "/.*sample[.].*"]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two things.
- This shouldn't be added as a sanitizer, instead you should probably add a condition in the
where
statement in the.ql
file. - Use the
isTestFile
predicate fromClassifyFiles.qll
instead.
The performance is this current sanitizer is terrible on some large projects, so this definitely cannot be merged as is.
use a simpler where condition(the former sanitizer) for overcoming performance problems
I only included the new where condition on sinks because the constant hardcoded creds can be loaded from a test or example directory. However, the sink using these hardcoded creds should not be in a test or example directory. |
Can you try to use If you don't want to do that, then an option is to move your contributions into the experimental folder. Note: The performance issue I mentioned previously is definitely gone with the filter in the |
…condition, update tests accordingly
@erik-krogh if the changes are not good and it is better to move my changes to experimental please let me know. |
No description provided.