Merge pull request #5635 from RasmusWL/port-weak-crypto-algorithm

Approved by yoff

python/ql/test/experimental/dataflow/sensitive-data/TestSensitiveDataSources.ql

@@ -0,0 +1,20 @@
+import python
+import semmle.python.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+import semmle.python.dataflow.new.SensitiveDataSources
+
+class SensitiveDataSourcesTest extends InlineExpectationsTest {
+  SensitiveDataSourcesTest() { this = "SensitiveDataSourcesTest" }
+
+  override string getARelevantTag() { result = "SensitiveDataSource" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(SensitiveDataSource source |
+      location = source.getLocation() and
+      element = source.toString() and
+      value = source.getClassification() and
+      tag = "SensitiveDataSource"
+    )
+  }
+}

python/ql/test/experimental/dataflow/sensitive-data/test.py

@@ -0,0 +1,33 @@
+
+from not_found import get_passwd, account_id
+
+def get_password():
+    pass
+
+def get_secret():
+    pass
+
+def fetch_certificate():
+    pass
+
+def encrypt_password(pwd):
+    pass
+
+get_password() # $ SensitiveDataSource=password
+get_passwd() # $ SensitiveDataSource=password
+get_secret() # $ SensitiveDataSource=secret
+fetch_certificate() # $ SensitiveDataSource=certificate
+account_id() # $ SensitiveDataSource=id
+safe_to_store = encrypt_password(pwd)
+
+# attributes
+foo = ObjectFromDatabase()
+foo.secret # $ SensitiveDataSource=secret
+foo.username # $ SensitiveDataSource=id
+
+# Special handling of lookups of sensitive properties
+request.args["password"], # $ MISSING: SensitiveDataSource=password
+request.args.get("password") # $ SensitiveDataSource=password
+
+# I don't think handling `getlist` is super important, just included it to show what we don't handle
+request.args.getlist("password")[0] # $ MISSING: SensitiveDataSource=password