Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: Extends CredentialsNode class mostly related to JWT authentication packages #14666

Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

JS: Extends CredentialsNode class mostly related to JWT authentication packages #14666

wants to merge 22 commits into from

Conversation

am0o0
Copy link
Contributor

@am0o0 am0o0 commented Nov 2, 2023

No description provided.

am0o0 and others added 7 commits August 29, 2023 21:23
@am0o0
V1
65b9774
@am0o0
add test cases
4f04dc8
@am0o0
fix qhelps
3f64cc8
@am0o0
change Source to ConstantString, it seems that we have some duplicate…
7a577dd 
… results now, ConstantString is suggested as a better alternative for finding constant sources
@am0o0
add sanitizers to hardcoded query
7891e64
@am0o0
remove noverification query
8e0f52c
@am0o0
move new secret key sinks to existing CredentialsNode class,
e1d42fa 
add new additional global taint and dataflow steps
update tests of CWE-798
add a new sanitizer for `semmle.javascript.security.dataflow.HardcodedCredentialsQuery`
This was referenced Nov 2, 2023
Closed
Open
p-
p- reviewed May 29, 2024
View reviewed changes
javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll Outdated
this.getFile()
.getLocation()
.hasLocationInfo(any(string s |
s.regexpMatch(["/.*test[.].*", "/.*demo[.].*", "/.*example[.].*", "/.*sample[.].*"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this should be added as a sanitizer on this level.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please tell me where I should put this sanitizer because I encountered a lot of FPs before applying it so I must use it but don't know exactly where.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's wait for the CodeQL team to review it. But I fear if it adds a lot of FP's without this sanitizer it might not be perfectly suited as addition for this prod query.
On the other hand: excluding test files for less FP's might help to reduce FP's for the hardcoded-credentials query as a whole.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two things.

  • This shouldn't be added as a sanitizer, instead you should probably add a condition in the where statement in the .ql file.
  • Use the isTestFile predicate from ClassifyFiles.qll instead.

The performance is this current sanitizer is terrible on some large projects, so this definitely cannot be merged as is.

@ghsecuritylab ghsecuritylab marked this pull request as ready for review May 30, 2024 13:52
@ghsecuritylab ghsecuritylab requested a review from a team as a code owner May 30, 2024 13:52
erik-krogh
erik-krogh reviewed Jun 6, 2024
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea seems OK.
I haven't looked through the models yet, but I did run a small internal evaluation on them, and that looked OK.

But first there is a problem with the sanitizer.

I'll take a closer look at the models once that's resolved.

javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll Outdated
this.getFile()
.getLocation()
.hasLocationInfo(any(string s |
s.regexpMatch(["/.*test[.].*", "/.*demo[.].*", "/.*example[.].*", "/.*sample[.].*"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two things.

  • This shouldn't be added as a sanitizer, instead you should probably add a condition in the where statement in the .ql file.
  • Use the isTestFile predicate from ClassifyFiles.qll instead.

The performance is this current sanitizer is terrible on some large projects, so this definitely cannot be merged as is.

@am0o0
Copy link
Contributor Author

am0o0 commented Jun 6, 2024

I only included the new where condition on sinks because the constant hardcoded creds can be loaded from a test or example directory. However, the sink using these hardcoded creds should not be in a test or example directory.

@erik-krogh
Copy link
Contributor

erik-krogh commented Jun 6, 2024
edited
Loading

I only included the new where condition on sinks because the constant hardcoded creds can be loaded from a test or example directory. However, the sink using these hardcoded creds should not be in a test or example directory.

Can you try to use ClassifyFiles.qll instead? I know those heuristics probably don't match exactly what you're looking for, but those can be improved later.
(I very much suggest that you don't look into that now, but do that in a later PR if needed, just to keep the scope of this PR low).

If you don't want to do that, then an option is to move your contributions into the experimental folder.

Note: The performance issue I mentioned previously is definitely gone with the filter in the where part of the query.

@am0o0
Copy link
Contributor Author

am0o0 commented Jun 25, 2024

@erik-krogh if the changes are not good and it is better to move my changes to experimental please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p- p- p- left review comments

@erik-krogh erik-krogh erik-krogh left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@am0o0 @erik-krogh @p-