hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Update CleartextLogging fixture

Browse Source 
The flow summary for `String#sub` leads to two new results in this test.
They are duplicates of existing results, because the query is quite
liberal in what it considers a source.

```ruby

password = "abc"
password_masked = password.sub(/./, "x")
Logger.new(STDOUT).info password_masked

```

In the example above, the query considers lines 1 and 2 to both be
sources, with a sink at line 3. Previously there was no flow from line 1
to line 3 because of the missing flow summary for `String#sub`, and
therefore there was just one result. Now we have the flow summary, there
are two results.

Line 2 is considered a source because it is an assignment to a variable
that contains the term "password". I'm not sure how to adjust the query
to avoid these duplicates, so I'm leaving them in for now.
This commit is contained in:
Harry Maclean
2022-02-22 16:58:41 +13:00
parent 340288e0d4
commit 07c70adde5
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected
View File

@@ -13,9 +13,13 @@ edges
| logging.rb:30:8:30:55 | call to [] : | logging.rb:37:20:37:23 | hsh1 : |
| logging.rb:34:1:34:15 | call to []= : | logging.rb:39:20:39:34 | ...[...] |
| logging.rb:37:20:37:23 | hsh1 : | logging.rb:37:20:37:34 | ...[...] |
| logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:63:35:63:65 | password_masked_ineffective_sub : |
| logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex |
| logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:65:36:65:67 | password_masked_ineffective_gsub : |
| logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex |
| logging.rb:63:35:63:65 | password_masked_ineffective_sub : | logging.rb:63:35:63:88 | call to sub : |
| logging.rb:63:35:63:88 | call to sub : | logging.rb:69:20:69:50 | password_masked_ineffective_sub |
| logging.rb:65:36:65:67 | password_masked_ineffective_gsub : | logging.rb:65:36:65:86 | call to gsub : |
| logging.rb:65:36:65:86 | call to gsub : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub |
| logging.rb:77:9:77:16 | password : | logging.rb:79:15:79:22 | password |
| logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:83:5:83:16 | password_arg : |
@@ -38,9 +42,13 @@ nodes
| logging.rb:37:20:37:23 | hsh1 : | semmle.label | hsh1 : |
| logging.rb:37:20:37:34 | ...[...] | semmle.label | ...[...] |
| logging.rb:39:20:39:34 | ...[...] | semmle.label | ...[...] |
| logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
| logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
| logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
| logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
| logging.rb:63:35:63:65 | password_masked_ineffective_sub : | semmle.label | password_masked_ineffective_sub : |
| logging.rb:63:35:63:88 | call to sub : | semmle.label | call to sub : |
| logging.rb:65:36:65:67 | password_masked_ineffective_gsub : | semmle.label | password_masked_ineffective_gsub : |
| logging.rb:65:36:65:86 | call to gsub : | semmle.label | call to gsub : |
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | semmle.label | password_masked_ineffective_sub |
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | semmle.label | password_masked_ineffective_gsub |
@@ -65,7 +73,9 @@ subpaths
| logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:28:26:28:33 | password | Sensitive data returned by $@ is logged here. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
| logging.rb:37:20:37:34 | ...[...] | logging.rb:30:8:30:55 | call to [] : | logging.rb:37:20:37:34 | ...[...] | Sensitive data returned by $@ is logged here. | logging.rb:30:8:30:55 | call to [] | an write to password |
| logging.rb:39:20:39:34 | ...[...] | logging.rb:34:1:34:15 | call to []= : | logging.rb:39:20:39:34 | ...[...] | Sensitive data returned by $@ is logged here. | logging.rb:34:1:34:15 | call to []= | a write to password |
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:69:20:69:50 | password_masked_ineffective_sub | Sensitive data returned by $@ is logged here. | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub |
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:63:35:63:88 | call to sub : | logging.rb:69:20:69:50 | password_masked_ineffective_sub | Sensitive data returned by $@ is logged here. | logging.rb:63:35:63:88 | call to sub | an assignment to password_masked_ineffective_sub |
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | Sensitive data returned by $@ is logged here. | logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub |
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:65:36:65:86 | call to gsub : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | Sensitive data returned by $@ is logged here. | logging.rb:65:36:65:86 | call to gsub | an assignment to password_masked_ineffective_gsub |
| logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | Sensitive data returned by $@ is logged here. | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex |
| logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | Sensitive data returned by $@ is logged here. | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex |