Python: Model sensitive data based on parameter names

2026-05-02 04:05:14 +02:00 · 2021-06-03 14:25:15 +02:00
parent 925e67d734
commit f5fd0f8d1c
2 changed files with 15 additions and 1 deletions
--- a/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
+++ b/python/ql/src/semmle/python/dataflow/new/SensitiveDataSources.qll
@@ -149,4 +149,15 @@ private module SensitiveDataModeling {

    override SensitiveDataClassification getClassification() { result = classification }
  }
+
+  /** A parameter where the name indicates it will receive sensitive data. */
+  class SensitiveParameter extends SensitiveDataSource::Range, DataFlow::ParameterNode {
+    SensitiveDataClassification classification;
+
+    SensitiveParameter() {
+      nameIndicatesSensitiveData(this.getParameter().getName(), classification)
+    }
+
+    override SensitiveDataClassification getClassification() { result = classification }
+  }
 }