Merge branch 'github:main' into fix/path-injection-read-subkind

java/ql/lib/semmle/code/java/security/SensitiveActions.qll

@@ -40,14 +40,26 @@ string getCommonSensitiveInfoRegex() {
 
 /**
  * Gets a regular expression for matching common names of variables that
- * indicate the value being held does not contains sensitive information,
+ * indicate the value being held does not contain sensitive information,
  * but is a false positive for `getCommonSensitiveInfoRegex`.
  *
  * - "tokenizer" is often used for java.util.StringTokenizer.
  * - "tokenImage" appears in parser code generated by JavaCC.
+ * - Pagination/iteration tokens: "nextToken" (AWS SDK), "pageToken" (GCP), etc.
+ * - Token metadata: "tokenType" (OAuth), "tokenEndpoint" (OIDC), "tokenCount", etc.
+ * - Secret metadata: "secretName" (K8s/AWS), "secretId" (Azure), "secretVersion", etc.
  */
 string getCommonSensitiveInfoFPRegex() {
-  result = "(?i).*(null|tokenizer).*" or result = "tokenImage"
+  result =
+    [
+      "(?i).*(null|tokenizer).*", "tokenImage",
+      // Pagination/iteration tokens (e.g., AWS SDK pagination cursors, parser tokens)
+      "(?i).*(next|previous|current|page|continuation|cursor)tokens?.*",
+      // Token metadata/infrastructure (token followed by a non-value descriptor)
+      "(?i).*tokens?(type|kind|count|index|position|length|offset|endpoint|url|uri|bucket|rate|delimiter|separator|format|number|name|id|prefix|suffix|pattern|class|style).*",
+      // Secret metadata (secret followed by a non-value descriptor)
+      "(?i).*secrets?(name|id|version|ref|arn|path|type|label|description|manager|client|provider|store|factory|properties).*"
+    ]
 }
 
 /** An expression that might contain sensitive data. */