Teach clear-text logging query to ignore dummy passwords.

2026-01-29 14:23:03 +01:00 · 2020-07-01 18:27:44 +01:00
parent 63187a0889
commit 89e9c6c2da
2 changed files with 11 additions and 2 deletions
--- a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
+++ b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
@@ -6,6 +6,7 @@

 import go
 private import semmle.go.security.SensitiveActions::HeuristicNames
+private import semmle.go.security.SensitiveActions::PasswordHeuristics

 /**
 * Provides extension points for customizing the data-flow tracking configuration for reasoning
@@ -67,6 +68,9 @@ module CleartextLogging {
          .(Ident)
          .getName()
          .regexpMatch("(?is).*(messages|strings).*")
+      or
+      // avoid dummy passwords
+      isDummyPassword(this.getStringValue())
    }
  }

--- a/ql/test/query-tests/Security/CWE-312/passwords.go
+++ b/ql/test/query-tests/Security/CWE-312/passwords.go
@@ -19,7 +19,7 @@ func redact(kind, value string) string {
 func test() {
 	name := "user"
 	password := "P@ssw0rd"
-	x := "aaaaa"
+	x := "horsebatterystapleincorrect"
 	var o passStruct

 	log.Println(password)        // NOT OK
@@ -47,7 +47,7 @@ func test() {
 	log.Println(obj3) // caught because of the below line
 	obj3.x = password // NOT OK

-	fixed_password := "123"
+	fixed_password := "cowbatterystaplecorrect"
 	log.Println(fixed_password) // Probably OK, but caught

 	log.Println(IncorrectPasswordError) // OK
@@ -125,6 +125,11 @@ func test() {
 	log.Println(config)          // NOT OK
 	log.Println(config.x)        // NOT OK
 	log.Println(config.y)        // NOT OK
+
+	obj4 := xStruct{
+		x: "aaaaa",
+	}
+	log.Println(obj4) // OK
 }

 const password = "horsebatterystaplecorrect"