Merge branch 'main' into post-release-prep/codeql-cli-2.10.0

2025-12-20 18:56:32 +01:00 · 2022-06-27 20:37:25 +02:00
parent d506f448ef dfe276aa18
commit cc57cb8af5
331 changed files with 13701 additions and 4340 deletions
--- a/python/ql/lib/change-notes/2022-06-22-sensitive-common-words.md
+++ b/python/ql/lib/change-notes/2022-06-22-sensitive-common-words.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modeling of sensitive data sources, so common words like `certain` and `secretary` are no longer considered a certificate and a secret (respectively).
--- a/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll
+++ b/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -50,7 +50,7 @@ module HeuristicNames {
   * Gets a regular expression that identifies strings that may indicate the presence of secret
   * or trusted data.
   */
-  string maybeSecret() { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
+  string maybeSecret() { result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted).*" }

  /**
   * Gets a regular expression that identifies strings that may indicate the presence of
@@ -96,10 +96,14 @@ module HeuristicNames {
   * Gets a regular expression that identifies strings that may indicate the presence of data
   * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters
   * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
+   *
+   * We also filter out common words like `certain` and `concert`, since otherwise these could
+   * be matched by the certificate regular expressions. Same for `accountable` (account), or
+   * `secretarial` (secret).
   */
  string notSensitiveRegexp() {
    result =
-      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|code)).*"
+      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|code)|certain|concert|secretar|accountant|accountab).*"
  }

  /**
--- a/python/ql/test/experimental/dataflow/sensitive-data/test.py
+++ b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -37,6 +37,10 @@ f = not_found.get_passwd # $ SensitiveDataSource=password
 x = f()
 print(x) # $ SensitiveUse=password

+# some prefixes makes us ignore it as a source
+not_found.isSecret
+not_found.is_secret
+
 def my_func(non_sensitive_name):
    x = non_sensitive_name()
    print(x) # $ SensitiveUse=password
@@ -56,6 +60,11 @@ getattr(foo, x) # $ SensitiveDataSource=password
 def my_func(password): # $ SensitiveDataSource=password
    print(password) # $ SensitiveUse=password

+# FP where the `cert` in `uncertainty` makes us treat it like a certificate
+# https://github.com/github/codeql/issues/9632
+def my_other_func(uncertainty):
+    print(uncertainty)
+
 password = some_function() # $ SensitiveDataSource=password
 print(password) # $ SensitiveUse=password