Add sensitive data heuristic

2026-04-26 01:05:15 +02:00 · 2025-09-23 10:08:08 +01:00
parent 6eac6b7258
commit d28e8004fd
5 changed files with 25 additions and 19 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -12,6 +12,7 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.Files
 private import semmle.python.Frameworks
 private import semmle.python.security.internal.EncryptionKeySizes
+private import semmle.python.dataflow.new.SensitiveDataSources
 private import codeql.threatmodels.ThreatModels
 private import codeql.concepts.ConceptsShared

@@ -1290,6 +1291,18 @@ module Http {
       */
      DataFlow::Node getValueArg() { result = super.getValueArg() }

+      /** Holds if the name of this cookie indicates it may contain sensitive information. */
+      predicate isSensitive() {
+        exists(DataFlow::Node name |
+          name = [this.getNameArg(), this.getHeaderArg()] and
+          (
+            name instanceof SensitiveDataSource
+            or
+            name = sensitiveLookupStringConst(_)
+          )
+        )
+      }
+
      /**
       * Holds if the `Secure` flag of the cookie is known to have a value of `b`.
       */
--- a/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -334,3 +334,5 @@ private module SensitiveDataModeling {
 }

 predicate sensitiveDataExtraStepForCalls = SensitiveDataModeling::extraStepForCalls/2;
+
+predicate sensitiveLookupStringConst = SensitiveDataModeling::sensitiveLookupStringConst/1;