Merge pull request #18473 from geoffw0/sensitive2

Improve shared sensitive data library handling of snake_case variable names
2025-12-17 01:03:14 +01:00 · 2025-01-15 18:02:33 +00:00
parent 02ac61f328 5ef5b04aac
commit 90faab456d
11 changed files with 60 additions and 24 deletions
--- a/swift/ql/lib/change-notes/2025-01-10-sensitive-data.md
+++ b/swift/ql/lib/change-notes/2025-01-10-sensitive-data.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The sensitive data library has been improved so that `snake_case` style variable names are recognized more reliably. This may result in more sensitive data being identified, and more results from queries that use the sensitive data library.
--- a/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
+++ b/swift/ql/lib/codeql/swift/security/SensitiveExprs.qll
@@ -34,8 +34,6 @@ class SensitivePassword extends SensitiveDataType, TPassword {

  override string getRegexp() {
    result = HeuristicNames::maybeSensitiveRegexp(SensitiveDataClassification::password())
-    or
-    result = "(?is).*pass.?phrase.*"
  }
 }

--- a/swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll
+++ b/swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll
@@ -62,7 +62,7 @@ module HeuristicNames {
   */
  string maybeAccountInfo() {
    result = "(?is).*acc(ou)?nt.*" or
-    result = "(?is).*(puid|username|userid|session(id|key)).*" or
+    result = "(?is).*(puid|user.?name|user.?id|session.?(id|key)).*" or
    result = "(?s).*([uU]|^|_|[a-z](?=U))([uU][iI][dD]).*"
  }

@@ -71,8 +71,8 @@ module HeuristicNames {
   * a password or an authorization key.
   */
  string maybePassword() {
-    result = "(?is).*pass(wd|word|code|phrase)(?!.*question).*" or
-    result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
+    result = "(?is).*pass(wd|word|code|.?phrase)(?!.*question).*" or
+    result = "(?is).*(auth(entication|ori[sz]ation)?).?key.*"
  }

  /**