mirror of
https://github.com/unraid/api.git
synced 2025-12-31 05:29:48 -06:00
53 lines
1.5 KiB
Plaintext
53 lines
1.5 KiB
Plaintext
/**
|
|
* @name Hardcoded Secrets
|
|
* @description Hardcoded secrets or credentials in source code can lead to security vulnerabilities.
|
|
* @kind problem
|
|
* @problem.severity error
|
|
* @precision medium
|
|
* @id js/hardcoded-secrets
|
|
* @tags security
|
|
* external/cwe/cwe-798
|
|
*/
|
|
|
|
import javascript
|
|
|
|
/**
|
|
* Identifies variable declarations or assignments that may contain secrets
|
|
*/
|
|
predicate isSensitiveAssignment(DataFlow::Node node) {
|
|
exists(DataFlow::PropWrite propWrite |
|
|
propWrite.getPropertyName().regexpMatch("(?i).*(secret|key|password|token|credential|auth).*") and
|
|
propWrite.getRhs() = node
|
|
)
|
|
or
|
|
exists(VariableDeclarator decl |
|
|
decl.getName().regexpMatch("(?i).*(secret|key|password|token|credential|auth).*") and
|
|
decl.getInit().flow() = node
|
|
)
|
|
}
|
|
|
|
/**
|
|
* Identifies literals that look like secrets
|
|
*/
|
|
predicate isSecretLiteral(StringLiteral literal) {
|
|
// Match alphanumeric strings of moderate length that may be secrets
|
|
literal.getValue().regexpMatch("[A-Za-z0-9_\\-]{8,}") and
|
|
|
|
not (
|
|
// Skip likely non-sensitive literals
|
|
literal.getValue().regexpMatch("(?i)^(true|false|null|undefined|localhost|development|production|staging)$") or
|
|
// Skip URLs without credentials
|
|
literal.getValue().regexpMatch("^https?://[^:@/]+")
|
|
)
|
|
}
|
|
|
|
from DataFlow::Node source
|
|
where
|
|
isSensitiveAssignment(source) and
|
|
(
|
|
exists(StringLiteral literal |
|
|
literal.flow() = source and
|
|
isSecretLiteral(literal)
|
|
)
|
|
)
|
|
select source, "This assignment may contain a hardcoded secret or credential." |