rename ProcessEnvLabel to PartiallySensitiveMap

2026-04-24 16:25:15 +02:00 · 2019-11-05 10:35:12 +01:00
parent 2bd48db8cd
commit 052a331395
2 changed files with 12 additions and 7 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
@@ -35,8 +35,8 @@ module CleartextLogging {
    override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }

    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl) {
-      // Only unknown property reads on `process.env` propagate taint.
-      (not lbl instanceof ProcessEnvLabel or exists(succ.(DataFlow::PropRead).getPropertyName())) and 
+      // Only unknown property reads on sensitive objects propagate taint.
+      (not lbl instanceof PartiallySensitiveMap or exists(succ.(DataFlow::PropRead).getPropertyName())) and 
      succ.(DataFlow::PropRead).getBase() = pred
    }
       
@@ -44,7 +44,7 @@ module CleartextLogging {
      DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
    ) {
      trg.(DataFlow::PropRead).getBase() = src and
-      inlbl instanceof ProcessEnvLabel and 
+      inlbl instanceof PartiallySensitiveMap and 
      outlbl.isData() 
    }
    
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -163,7 +163,7 @@ module CleartextLogging {
    }
  }

-
+  /** An access to the sensitive object `process.env`. */
  class ProcessEnvSource extends Source {
    ProcessEnvSource() {
      this = NodeJSLib::process().getAPropertyRead("env")
@@ -173,11 +173,16 @@ module CleartextLogging {
    
    override DataFlow::FlowLabel getLabel() {
      result.isData() or 
-      result instanceof ProcessEnvLabel
+      result instanceof PartiallySensitiveMap
    }
  }
-  class ProcessEnvLabel extends DataFlow::FlowLabel{
-    ProcessEnvLabel() {
+  
+  /**
+   * A flow label describing a map that might contain sensitive information in some properties.
+   * Property reads on such maps where the property name is fixed is unlikely to leak sensitive information. 
+   */
+  class PartiallySensitiveMap extends DataFlow::FlowLabel {
+    PartiallySensitiveMap() {
      this = "processEnv"
    }
  }