From 89e9c6c2da769bfda3676c6608b9dd87f3b29cf3 Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Wed, 1 Jul 2020 18:27:44 +0100 Subject: [PATCH] Teach clear-text logging query to ignore dummy passwords. --- .../go/security/CleartextLoggingCustomizations.qll | 4 ++++ ql/test/query-tests/Security/CWE-312/passwords.go | 9 +++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll index 62d9438af41..329b4e67854 100644 --- a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll +++ b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll @@ -6,6 +6,7 @@ import go private import semmle.go.security.SensitiveActions::HeuristicNames +private import semmle.go.security.SensitiveActions::PasswordHeuristics /** * Provides extension points for customizing the data-flow tracking configuration for reasoning @@ -67,6 +68,9 @@ module CleartextLogging { .(Ident) .getName() .regexpMatch("(?is).*(messages|strings).*") + or + // avoid dummy passwords + isDummyPassword(this.getStringValue()) } } diff --git a/ql/test/query-tests/Security/CWE-312/passwords.go b/ql/test/query-tests/Security/CWE-312/passwords.go index 777fceb9374..5f0b291016d 100644 --- a/ql/test/query-tests/Security/CWE-312/passwords.go +++ b/ql/test/query-tests/Security/CWE-312/passwords.go @@ -19,7 +19,7 @@ func redact(kind, value string) string { func test() { name := "user" password := "P@ssw0rd" - x := "aaaaa" + x := "horsebatterystapleincorrect" var o passStruct log.Println(password) // NOT OK @@ -47,7 +47,7 @@ func test() { log.Println(obj3) // caught because of the below line obj3.x = password // NOT OK - fixed_password := "123" + fixed_password := "cowbatterystaplecorrect" log.Println(fixed_password) // Probably OK, but caught log.Println(IncorrectPasswordError) // OK @@ -125,6 +125,11 @@ func test() { log.Println(config) // NOT OK log.Println(config.x) // NOT OK log.Println(config.y) // NOT OK + + obj4 := xStruct{ + x: "aaaaa", + } + log.Println(obj4) // OK } const password = "horsebatterystaplecorrect"