JS: remove check for test-environment in js/clear-text-logging

2026-05-02 04:05:14 +02:00 · 2018-08-20 12:22:17 +02:00
parent 3636708d30
commit 2b9f5c3fa2
3 changed files with 11 additions and 23 deletions
--- a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -31,25 +31,8 @@ predicate inBrowserEnvironment(TopLevel tl) {
  )
 }

-/**
- * Holds if `sink` only is reachable in a "test" environment.
- */
-predicate inTestEnvironment(Sink sink) {
-  exists (IfStmt guard, Identifier id |
-    // heuristic: a deliberate environment choice by the programmer related to passwords implies a test environment
-    id.getName().regexpMatch("(?i).*(test|develop|production).*") and
-    id.(Expr).getParentExpr*() = guard.getCondition() and
-    (
-      guard.getAControlledStmt() = sink.asExpr().getEnclosingStmt() or
-      guard.getAControlledStmt().(BlockStmt).getAChildStmt() = sink.asExpr().getEnclosingStmt()
-    )
-  )
-}
-
 from Configuration cfg, Source source, DataFlow::Node sink
 where cfg.hasFlow(source, sink) and
      // ignore logging to the browser console (even though it is not a good practice)
-      not inBrowserEnvironment(sink.asExpr().getTopLevel()) and
-      // ignore logging when testing
-      not inTestEnvironment(sink)
+      not inBrowserEnvironment(sink.asExpr().getTopLevel())
 select sink, "Sensitive data returned by $@ is logged here.", source, source.describe()
--- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -11,7 +11,12 @@
 | passwords.js:29:17:29:20 | obj3 | Sensitive data returned by $@ is logged here. | passwords.js:30:14:30:21 | password | an access to password |
 | passwords.js:78:17:78:38 | temp.en ... assword | Sensitive data returned by $@ is logged here. | passwords.js:77:37:77:53 | req.body.password | an access to password |
 | passwords.js:81:17:81:31 | `pw: ${secret}` | Sensitive data returned by $@ is logged here. | passwords.js:80:18:80:25 | password | an access to password |
+| passwords.js:93:21:93:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:93:39:93:46 | password | an access to password |
+| passwords.js:98:21:98:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:98:39:98:46 | password | an access to password |
+| passwords.js:105:21:105:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:105:39:105:46 | password | an access to password |
+| passwords.js:110:21:110:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:110:39:110:46 | password | an access to password |
 | passwords.js:114:25:114:50 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:114:43:114:50 | password | an access to password |
+| passwords.js:119:21:119:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:119:39:119:46 | password | an access to password |
 | passwords.js:122:17:122:49 | name +  ... tring() | Sensitive data returned by $@ is logged here. | passwords.js:122:31:122:38 | password | an access to password |
 | passwords.js:123:17:123:48 | name +  ... lueOf() | Sensitive data returned by $@ is logged here. | passwords.js:123:31:123:38 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
--- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
+++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -90,24 +90,24 @@
    console.log("Password is: " + redact('password', password));

    if (environment.isTestEnv()) {
-        console.log("Password is: " + password); // OK
+        console.log("Password is: " + password); // OK, but still flagged
    }

    if (environment.is(TEST)) {
        // NB: for security reasons, we only log passwords in test environments
-        console.log("Password is: " + password); // OK
+        console.log("Password is: " + password); // OK, but still flagged
    }


    if (x.test(y)) {
        f();
        // ...
-        console.log("Password is: " + password); // NOT OK, but not flagged
+        console.log("Password is: " + password); // NOT OK
        // ...
    }

    if (environment.isTestEnv())
-        console.log("Password is: " + password); // OK
+        console.log("Password is: " + password); // OK, but still flagged

    if (x.test(y)) {
        if (f()) {
@@ -116,7 +116,7 @@
    }

    if (!environment.isProduction()) {
-        console.log("Password is: " + password); // OK
+        console.log("Password is: " + password); // OK, but still flagged
    }

    console.log(name + ", " + password.toString()); // NOT OK