Skip to content

Commit c5091f1

Browse files
committed
Python: Make py/hardcoded-credentials a path-problem
and stop using deprecated hasFlow
1 parent 96d5703 commit c5091f1

File tree

2 files changed

+14
-7
lines changed

2 files changed

+14
-7
lines changed

python/ql/src/Security/CWE-798/HardcodedCredentials.ql

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/**
22
* @name Hard-coded credentials
33
* @description Credentials are hard coded in the source code of the application.
4-
* @kind problem
4+
* @kind path-problem
55
* @problem.severity error
66
* @precision medium
77
* @id py/hardcoded-credentials
@@ -12,6 +12,7 @@
1212
*/
1313

1414
import python
15+
import semmle.python.security.Paths
1516
import semmle.python.security.TaintTracking
1617
import semmle.python.filters.Tests
1718

@@ -155,9 +156,9 @@ class HardcodedCredentialsConfiguration extends TaintTracking::Configuration {
155156

156157

157158

158-
from HardcodedCredentialsConfiguration config, TaintSource src, TaintSink sink
159+
from HardcodedCredentialsConfiguration config, TaintedPathSource src, TaintedPathSink sink
159160

160-
where config.hasFlow(src, sink) and
161-
not any(TestScope test).contains(src.(ControlFlowNode).getNode())
161+
where config.hasFlowPath(src, sink) and
162+
not any(TestScope test).contains(src.getAstNode())
162163

163-
select sink, "Use of hardcoded credentials from $@.", src, src.toString()
164+
select sink.getSink(), src, sink, "Use of $@.", src.getSource(), "hardcoded credentials"
Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,8 @@
1-
| test.py:14:18:14:25 | Taint sink | Use of hardcoded credentials from $@. | test.py:5:12:5:24 | Taint source | Taint source |
2-
| test.py:15:18:15:25 | Taint sink | Use of hardcoded credentials from $@. | test.py:6:12:6:25 | Taint source | Taint source |
1+
edges
2+
| test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value |
3+
| test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value |
4+
| test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value |
5+
| test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value |
6+
#select
7+
| test.py:14:18:14:25 | USERNAME | test.py:5:12:5:24 | hard coded value | test.py:14:18:14:25 | hard coded value | Use of $@. | test.py:5:12:5:24 | Str | hardcoded credentials |
8+
| test.py:15:18:15:25 | PASSWORD | test.py:6:12:6:25 | hard coded value | test.py:15:18:15:25 | hard coded value | Use of $@. | test.py:6:12:6:25 | Str | hardcoded credentials |

0 commit comments

Comments
 (0)