hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Add a test that shows FP/FN for clear text logging query

Browse Source
This commit is contained in:
Tom Hvitved
2023-03-16 14:24:25 +01:00
parent 720eed398b
commit ae10e6e08f
2 changed files with 53 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected
View File

@@ -10,20 +10,22 @@ edges
| logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:23:33:23:40 | password |
| logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:26:18:26:34 | "pw: #{...}" |
| logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:28:26:28:33 | password |
| logging.rb:30:8:30:55 | call to [] : | logging.rb:37:20:37:23 | hsh1 : |
| logging.rb:34:1:34:15 | call to []= : | logging.rb:39:20:39:34 | ...[...] |
| logging.rb:37:20:37:23 | hsh1 : | logging.rb:37:20:37:34 | ...[...] |
| logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:63:35:63:65 | password_masked_ineffective_sub : |
| logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex |
| logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:65:36:65:67 | password_masked_ineffective_gsub : |
| logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex |
| logging.rb:63:35:63:65 | password_masked_ineffective_sub : | logging.rb:63:35:63:88 | call to sub : |
| logging.rb:63:35:63:88 | call to sub : | logging.rb:69:20:69:50 | password_masked_ineffective_sub |
| logging.rb:65:36:65:67 | password_masked_ineffective_gsub : | logging.rb:65:36:65:86 | call to gsub : |
| logging.rb:65:36:65:86 | call to gsub : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub |
| logging.rb:77:9:77:16 | password : | logging.rb:79:15:79:22 | password |
| logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:83:5:83:16 | password_arg : |
| logging.rb:83:5:83:16 | password_arg : | logging.rb:77:9:77:16 | password : |
| logging.rb:30:8:30:55 | call to [] : | logging.rb:38:20:38:23 | hsh1 : |
| logging.rb:30:8:30:55 | call to [] : | logging.rb:44:20:44:23 | hsh1 : |
| logging.rb:34:1:34:15 | call to []= : | logging.rb:40:20:40:34 | ...[...] |
| logging.rb:38:20:38:23 | hsh1 : | logging.rb:38:20:38:34 | ...[...] |
| logging.rb:44:20:44:23 | hsh1 : | logging.rb:44:20:44:29 | ...[...] |
| logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:68:35:68:65 | password_masked_ineffective_sub : |
| logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex |
| logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:70:36:70:67 | password_masked_ineffective_gsub : |
| logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex |
| logging.rb:68:35:68:65 | password_masked_ineffective_sub : | logging.rb:68:35:68:88 | call to sub : |
| logging.rb:68:35:68:88 | call to sub : | logging.rb:74:20:74:50 | password_masked_ineffective_sub |
| logging.rb:70:36:70:67 | password_masked_ineffective_gsub : | logging.rb:70:36:70:86 | call to gsub : |
| logging.rb:70:36:70:86 | call to gsub : | logging.rb:76:20:76:51 | password_masked_ineffective_gsub |
| logging.rb:82:9:82:16 | password : | logging.rb:84:15:84:22 | password |
| logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:88:5:88:16 | password_arg : |
| logging.rb:88:5:88:16 | password_arg : | logging.rb:82:9:82:16 | password : |
nodes
| logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | semmle.label | "043697b96909e03ca907599d6420555f" : |
| logging.rb:6:20:6:27 | password | semmle.label | password |
@@ -39,25 +41,27 @@ nodes
| logging.rb:28:26:28:33 | password | semmle.label | password |
| logging.rb:30:8:30:55 | call to [] : | semmle.label | call to [] : |
| logging.rb:34:1:34:15 | call to []= : | semmle.label | call to []= : |
| logging.rb:37:20:37:23 | hsh1 : | semmle.label | hsh1 : |
| logging.rb:37:20:37:34 | ...[...] | semmle.label | ...[...] |
| logging.rb:39:20:39:34 | ...[...] | semmle.label | ...[...] |
| logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
| logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
| logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
| logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
| logging.rb:63:35:63:65 | password_masked_ineffective_sub : | semmle.label | password_masked_ineffective_sub : |
| logging.rb:63:35:63:88 | call to sub : | semmle.label | call to sub : |
| logging.rb:65:36:65:67 | password_masked_ineffective_gsub : | semmle.label | password_masked_ineffective_gsub : |
| logging.rb:65:36:65:86 | call to gsub : | semmle.label | call to gsub : |
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | semmle.label | password_masked_ineffective_sub |
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | semmle.label | password_masked_ineffective_gsub |
| logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | semmle.label | password_masked_ineffective_sub_ex |
| logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | semmle.label | password_masked_ineffective_gsub_ex |
| logging.rb:77:9:77:16 | password : | semmle.label | password : |
| logging.rb:79:15:79:22 | password | semmle.label | password |
| logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | semmle.label | "65f2950df2f0e2c38d7ba2ccca767291" : |
| logging.rb:83:5:83:16 | password_arg : | semmle.label | password_arg : |
| logging.rb:38:20:38:23 | hsh1 : | semmle.label | hsh1 : |
| logging.rb:38:20:38:34 | ...[...] | semmle.label | ...[...] |
| logging.rb:40:20:40:34 | ...[...] | semmle.label | ...[...] |
| logging.rb:44:20:44:23 | hsh1 : | semmle.label | hsh1 : |
| logging.rb:44:20:44:29 | ...[...] | semmle.label | ...[...] |
| logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
| logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
| logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
| logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
| logging.rb:68:35:68:65 | password_masked_ineffective_sub : | semmle.label | password_masked_ineffective_sub : |
| logging.rb:68:35:68:88 | call to sub : | semmle.label | call to sub : |
| logging.rb:70:36:70:67 | password_masked_ineffective_gsub : | semmle.label | password_masked_ineffective_gsub : |
| logging.rb:70:36:70:86 | call to gsub : | semmle.label | call to gsub : |
| logging.rb:74:20:74:50 | password_masked_ineffective_sub | semmle.label | password_masked_ineffective_sub |
| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | semmle.label | password_masked_ineffective_gsub |
| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | semmle.label | password_masked_ineffective_sub_ex |
| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | semmle.label | password_masked_ineffective_gsub_ex |
| logging.rb:82:9:82:16 | password : | semmle.label | password : |
| logging.rb:84:15:84:22 | password | semmle.label | password |
| logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | semmle.label | "65f2950df2f0e2c38d7ba2ccca767291" : |
| logging.rb:88:5:88:16 | password_arg : | semmle.label | password_arg : |
subpaths
#select
| logging.rb:6:20:6:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:6:20:6:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
@@ -71,13 +75,14 @@ subpaths
| logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:23:33:23:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
| logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:26:18:26:34 | "pw: #{...}" | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
| logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:28:26:28:33 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
| logging.rb:37:20:37:34 | ...[...] | logging.rb:30:8:30:55 | call to [] : | logging.rb:37:20:37:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:8:30:55 | call to [] | a write to password |
| logging.rb:39:20:39:34 | ...[...] | logging.rb:34:1:34:15 | call to []= : | logging.rb:39:20:39:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:1:34:15 | call to []= | a write to password |
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:69:20:69:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub |
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:63:35:63:88 | call to sub : | logging.rb:69:20:69:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:63:35:63:88 | call to sub | an assignment to password_masked_ineffective_sub |
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub |
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:65:36:65:86 | call to gsub : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:65:36:65:86 | call to gsub | an assignment to password_masked_ineffective_gsub |
| logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex |
| logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex |
| logging.rb:79:15:79:22 | password | logging.rb:79:15:79:22 | password | logging.rb:79:15:79:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:79:15:79:22 | password | a parameter password |
| logging.rb:79:15:79:22 | password | logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:79:15:79:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg |
| logging.rb:38:20:38:34 | ...[...] | logging.rb:30:8:30:55 | call to [] : | logging.rb:38:20:38:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:8:30:55 | call to [] | a write to password |
| logging.rb:40:20:40:34 | ...[...] | logging.rb:34:1:34:15 | call to []= : | logging.rb:40:20:40:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:1:34:15 | call to []= | a write to password |
| logging.rb:44:20:44:29 | ...[...] | logging.rb:30:8:30:55 | call to [] : | logging.rb:44:20:44:29 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:8:30:55 | call to [] | a write to password |
| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub |
| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:68:35:68:88 | call to sub : | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:68:35:68:88 | call to sub | an assignment to password_masked_ineffective_sub |
| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub |
| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:70:36:70:86 | call to gsub : | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:70:36:70:86 | call to gsub | an assignment to password_masked_ineffective_gsub |
| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex |
| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex |
| logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:84:15:84:22 | password | a parameter password |
| logging.rb:84:15:84:22 | password | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg |

5
ruby/ql/test/query-tests/security/cwe-312/logging.rb
View File

@@ -32,11 +32,16 @@ hsh2 = {}
# GOOD: no backwards flow
stdout_logger.info hsh2[:password]
hsh2[:password] = "beeda625d7306b45784d91ea0336e201"
hsh3 = hsh2
# BAD: password logged as plaintext
stdout_logger.info hsh1[:password]
# BAD: password logged as plaintext
stdout_logger.info hsh2[:password]
# BAD: password logged as plaintext
stdout_logger.info hsh3[:password]
# GOOD: not a password
stdout_logger.info hsh1[:foo]
password_masked_sub = "ca497451f5e883662fb1a37bc9ec7838"
password_masked_sub_ex = "ca497451f5e883662fb1a37bc9ec7838"