Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LGTM.com - false positive: Type of authorization header should not be considered part of the credentials #4327

Closed
d-fischer opened this issue Sep 22, 2020 · 5 comments · Fixed by #6398
Closed

LGTM.com - false positive: Type of authorization header should not be considered part of the credentials #4327

d-fischer opened this issue Sep 22, 2020 · 5 comments · Fixed by #6398
Assignees
@erik-krogh
Labels
false-positive JS

Comments

@d-fischer
Copy link

Description of the false positive

Bearer and OAuth are not part of the credentials, but rather describe the type of the credentials.

URL to the alert on the project page on LGTM.com

https://lgtm.com/projects/g/d-fischer/twitch/snapshot/5249a6f49264f6678324dcf6e5ad37dd95b49935/files/packages/twitch-api-call/src/apiCall.ts#x2d89925154b9f725:1
@RasmusWL RasmusWL added the JS label Sep 23, 2020
@trevyn
Copy link

trevyn commented Oct 1, 2020

I hit this too, in a different variant:

The hard-coded value "Bearer foo" is used as authorization header.

Looks like foo would qualify as a dummy password/credential that shouldn't trigger this.

https://github.com/trevyn/turbo/security/code-scanning/1

@erik-krogh erik-krogh self-assigned this Oct 26, 2020
@stevehobbsdev
Copy link

stevehobbsdev commented Jul 28, 2021
edited

I have also hit this. I have an object that happens to have a property authorization on it and LGTM assumes it's referring to a header.

https://lgtm.com/projects/g/auth0/auth0-spa-js/snapshot/4a7df5014280db987cf34b2861a07e8ca3d73530/files/scripts/oidc-provider.js?sort=name&dir=ASC&mode=heatmap#xe67c6b362f563db0:1

Edit: actually I think the issue is slightly different, I'm getting "The hard-coded value "/authorize" is used as authorization header."

@erik-krogh erik-krogh mentioned this issue Aug 2, 2021
Merged
@erik-krogh
Copy link
Contributor

Thanks for the report, and sorry for the long wait (it got buried in my list of things to do).

@d-fischer and @trevyn: Both of your FP reports should be fixed by #6398.
It might take a few weeks for the fix to appear on LGTM.

@stevehobbsdev: Your issue is indeed different, and it is not fixed by the above.
Generally it works pretty well to mark every write to .authorization as an authorization header. But your example is definitely an exception to that.
Feel free to open a new issue with your FP report.

@viceice
Copy link

viceice commented Aug 17, 2021

When this will be released to github codeql action? We are also hit by this a lot from our tests at renovate 😕

renovatebot/renovate#11297

@erik-krogh
Copy link
Contributor

When this will be released to github codeql action? We are also hit by this a lot from our tests at renovate confused

The fix didn't end up in the recent 2.5.9 release of CodeQL.
So I think you'll have to wait until 2.6.0 is released. I think that will happen in about a week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@erik-krogh erik-krogh

Labels
false-positive JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

JS: don't report dummy authentication headers as hardcoded-crendentials erik-krogh/ql
6 participants
@trevyn @stevehobbsdev @RasmusWL @viceice @d-fischer @erik-krogh