Merge pull request #17100 from owen-mc/java/sensitive-log/ignore-tokenizer

Java: whitelist variable names containing "tokenizer" for `java/sensitive-log`
2026-04-25 08:45:14 +02:00 · 2024-07-31 12:16:03 +01:00
parent 59e22f6cd9 44b6309e07
commit 8901b1fd14
4 changed files with 21 additions and 20 deletions
--- a/java/ql/lib/semmle/code/java/security/SensitiveActions.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveActions.qll
@@ -28,13 +28,26 @@ private string nonSuspicious() {
 }

 /**
- * Gets a regular expression for matching common names of variables that indicate the value being held contains sensitive information.
+ * Gets a regular expression for matching common names of variables that
+ * indicate the value being held contains sensitive information.
 */
 string getCommonSensitiveInfoRegex() {
  result = "(?i).*(challenge|pass(wd|word|code|phrase))(?!.*question).*" or
  result = "(?i).*(token|secret).*"
 }

+/**
+ * Gets a regular expression for matching common names of variables that
+ * indicate the value being held does not contains sensitive information,
+ * but is a false positive for `getCommonSensitiveInfoRegex`.
+ *
+ * - "tokenizer" is often used for java.util.StringTokenizer.
+ * - "tokenImage" appears in parser code generated by JavaCC.
+ */
+string getCommonSensitiveInfoFPRegex() {
+  result = "(?i).*(null|tokenizer).*" or result = "tokenImage"
+}
+
 /** An expression that might contain sensitive data. */
 abstract class SensitiveExpr extends Expr { }

--- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -15,8 +15,7 @@ class VariableWithSensitiveName extends Variable {
  VariableWithSensitiveName() {
    exists(string name | name = this.getName() |
      name.regexpMatch(getCommonSensitiveInfoRegex()) and
-      not name.regexpMatch("(?i).*null.*") and
-      name != "tokenImage" // appears in parser code generated by JavaCC
+      not name.regexpMatch(getCommonSensitiveInfoFPRegex())
    )
  }
 }
--- a/java/ql/src/change-notes/2024-07-30-sensitive-log-whitelist-tokenizer.md
+++ b/java/ql/src/change-notes/2024-07-30-sensitive-log-whitelist-tokenizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the `java/sensitive-log` query. They normally relate to things like `java.util.StringTokenizer`, which are not sensitive information. This should fix some false positive alerts.
--- a/java/ql/test/query-tests/security/CWE-532/Test.java
+++ b/java/ql/test/query-tests/security/CWE-532/Test.java
@@ -1,28 +1,13 @@
 import org.apache.logging.log4j.Logger;

 class Test {
-    void test(String password) {
+    void test(String password, String authToken, String username, String nullToken, String stringTokenizer) {
        Logger logger = null;

        logger.info("User's password is: " + password); // $ hasTaintFlow
-    }
-
-    void test2(String authToken) {
-        Logger logger = null;
-
        logger.error("Auth failed for: " + authToken); // $ hasTaintFlow
-    }
-
-    void test3(String username) {
-        Logger logger = null;
-
        logger.error("Auth failed for: " + username); // Safe
-    }
-
-    void test4(String nullToken) {
-        Logger logger = null;
-
        logger.error("Auth failed for: " + nullToken); // Safe
+        logger.error("Auth failed for: " + stringTokenizer); // Safe
    }
-
 }