hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Rewrite to use nameIndicatesSensitiveData

Browse Source 
I added this predicate mostly because it was nice with an easy shortcut for it,
but also since I spotted the `CredentialsFunctionName` not checking agaisnt the
regexps in `notSensitive`, which looked suspicious. So the main goal of adding
`nameIndicatesSensitiveData` is that you don't accidentially forget to ensure
that the name doesn't match against `notSensitve`.
This commit is contained in:
Rasmus Wriedt Larsen
2021-04-21 11:26:17 +02:00
parent b6f8e5057b
commit b9a1a1fd5c
1 changed files with 8 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
View File

@@ -50,8 +50,7 @@ class SensitiveCall extends SensitiveExpr, InvokeExpr {
// This is particularly to pick up methods with an argument like "password", which
// may indicate a lookup.
exists(string s | this.getAnArgument().mayHaveStringValue(s) |
s.regexpMatch(maybeSensitive(classification)) and
not s.regexpMatch(notSensitive())
nameIndicatesSensitiveData(s, classification)
)
}
@@ -84,10 +83,7 @@ private class BasicSensitiveWrite extends SensitiveWrite {
SensitiveDataClassification classification;
BasicSensitiveWrite() {
exists(string name |
name.regexpMatch(maybeSensitive(classification)) and
not name.regexpMatch(notSensitive())
|
exists(string name | nameIndicatesSensitiveData(name, classification) |
exists(DataFlow::PropWrite pwn |
pwn.getPropertyName() = name and
pwn.getRhs() = this
@@ -109,9 +105,7 @@ private class BasicSensitiveWrite extends SensitiveWrite {
private class BasicSensitiveVariableAccess extends SensitiveVariableAccess {
SensitiveDataClassification classification;
BasicSensitiveVariableAccess() {
name.regexpMatch(maybeSensitive(classification)) and not name.regexpMatch(notSensitive())
}
BasicSensitiveVariableAccess() { nameIndicatesSensitiveData(name, classification) }
override SensitiveDataClassification getClassification() { result = classification }
}
@@ -135,7 +129,11 @@ abstract class SensitiveDataFunctionName extends SensitiveFunctionName {
class CredentialsFunctionName extends SensitiveDataFunctionName {
SensitiveDataClassification classification;
CredentialsFunctionName() { this.regexpMatch(maybeSensitive(classification)) }
CredentialsFunctionName() {
// TODO: is it by purpose that we don't check whether `this` does not
// match the regexps in `notSensitive`?
this.regexpMatch(maybeSensitive(classification))
}
override SensitiveDataClassification getClassification() { result = classification }
}