JS: Extends CredentialsNode class mostly related to JWT authentication packages #14666
Conversation
… results now, ConstantString is suggested as a better alternative for finding constant sources
add new additional global taint and dataflow steps update tests of CWE-798 add a new sanitizer for `semmle.javascript.security.dataflow.HardcodedCredentialsQuery`
| this.getFile() | ||
| .getLocation() | ||
| .hasLocationInfo(any(string s | | ||
| s.regexpMatch(["/.*test[.].*", "/.*demo[.].*", "/.*example[.].*", "/.*sample[.].*"]) |
There was a problem hiding this comment.
I'm not sure if this should be added as a sanitizer on this level.
There was a problem hiding this comment.
please tell me where I should put this sanitizer because I encountered a lot of FPs before applying it so I must use it but don't know exactly where.
There was a problem hiding this comment.
Let's wait for the CodeQL team to review it. But I fear if it adds a lot of FP's without this sanitizer it might not be perfectly suited as addition for this prod query.
On the other hand: excluding test files for less FP's might help to reduce FP's for the hardcoded-credentials query as a whole.
There was a problem hiding this comment.
Two things.
- This shouldn't be added as a sanitizer, instead you should probably add a condition in the
wherestatement in the.qlfile. - Use the
isTestFilepredicate fromClassifyFiles.qllinstead.
The performance is this current sanitizer is terrible on some large projects, so this definitely cannot be merged as is.
| this.getFile() | ||
| .getLocation() | ||
| .hasLocationInfo(any(string s | | ||
| s.regexpMatch(["/.*test[.].*", "/.*demo[.].*", "/.*example[.].*", "/.*sample[.].*"]) |
There was a problem hiding this comment.
Two things.
- This shouldn't be added as a sanitizer, instead you should probably add a condition in the
wherestatement in the.qlfile. - Use the
isTestFilepredicate fromClassifyFiles.qllinstead.
The performance is this current sanitizer is terrible on some large projects, so this definitely cannot be merged as is.
use a simpler where condition(the former sanitizer) for overcoming performance problems
|
I only included the new where condition on sinks because the constant hardcoded creds can be loaded from a test or example directory. However, the sink using these hardcoded creds should not be in a test or example directory. |
Can you try to use If you don't want to do that, then an option is to move your contributions into the experimental folder. Note: The performance issue I mentioned previously is definitely gone with the filter in the |
…condition, update tests accordingly
|
@erik-krogh if the changes are not good and it is better to move my changes to experimental please let me know. |
There was a problem hiding this comment.
@erik-krogh if the changes are not good and it is better to move my changes to experimental please let me know.
No, I think that is fine to get it in the standard suite.
But I did discuss internally, and agreed that you have some changes to make (beyond the comments below).
Somehow the isTestFile filter should only apply to the JWT keys you've added.
Probably by creating a new kind for getCredentialsKind, and then applying the filter only for that credentials-kind.
…steps with test cases, update test cases and expected test results
… query taint step
since we want to check if a jwt related sink is in this dir or not
… from with the isTestFile predicate. According to expected test results, with a new query, the jwt sinks of __test__/ dir have been exluded from query results.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| not isTestFile(sink.getNode().getFile()) and | ||
| updateMessageWithSourceValue(value, source.getNode(), sink.getNode()) | ||
| else | ||
| // sink kind is "jwt key" and source is not constant string | ||
| if | ||
| sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and | ||
| not source.getNode().asExpr() instanceof ConstantString | ||
| then not isTestFile(sink.getNode().getFile()) and value = "This hard-coded value" | ||
| else | ||
| // sink kind is not "jwt key" and source is constant string | ||
| if | ||
| not sink.getNode().(Sink).(DefaultCredentialsSink).getKind() = "jwt key" and | ||
| source.getNode().asExpr() instanceof ConstantString | ||
| then updateMessageWithSourceValue(value, source.getNode(), sink.getNode()) | ||
| else value = "This hard-coded value" |
There was a problem hiding this comment.
Can you revert these changes, and then instead put the filter on the Sink class instead?
There was a problem hiding this comment.
Can you give me some tips about this? I couldn't figure out a solution.
There was a problem hiding this comment.
@erik-krogh Could you help me with this, I have free time this week, so I can fix the issues quicker.
There was a problem hiding this comment.
I'll have a look this week. I just came back from a few weeks of vacation.
There was a problem hiding this comment.
You can e.g. do it like this: erik-krogh@38e5c90
(I tried to push directly to your PR, but I can't do that).
There should probably also be a comment on the new characteristic predicate in DefaultCredentialsSink.
|
The autoformatter checks are failing on |
|
There is still |
| | | ||
| src = n.getArgument(0) and | ||
| trg = n and | ||
| n.getLocation().getFile().getRelativePath().matches("%HardcodedCredentials.js%") |
There was a problem hiding this comment.
This line looks like some debug code you forgot to remove?
No description provided.