hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
20cfe291995f1631f9672a8f19aab75a7bfbf511
codeql/java/ql/test/query-tests/security/CWE-532/Test.java
MarkLee131 20cfe29199 Java: reduce false positives in sensitive-log by expanding FP exclusion regex 
The getCommonSensitiveInfoFPRegex() only excluded "null", "tokenizer", and
"tokenImage", causing widespread false positives for common non-sensitive
variable names containing "token" or "secret".

This adds exclusions for three categories:
- Pagination/iteration tokens: nextToken (AWS SDK), pageToken (GCP),
  continuationToken (Azure), etc.
- Token metadata: tokenType (OAuth), tokenEndpoint (OIDC), tokenCount,
  tokenIndex, tokenLength, tokenUrl, etc.
- Secret metadata: secretName (K8s/AWS), secretId (Azure),
  secretVersion, secretArn, secretPath, etc.

All truly sensitive variable names (accessToken, clientSecret, secretKey,
refreshToken, etc.) remain correctly flagged.
2026-04-04 21:33:35 +08:00

77 lines
4.0 KiB
Java
Raw Blame History

import org.apache.logging.log4j.Logger;
class Test {
void test(String password, String authToken, String username, String nullToken, String stringTokenizer) {
Logger logger = null;
int zero = 0;
int four = 4;
short zeroS = 0;
long fourL = 4L;
logger.info("User's password is: " + password); // $ Alert
logger.error("Auth failed for: " + authToken); // $ Alert
logger.error("Auth failed for: " + username); // Safe
logger.error("Auth failed for: " + nullToken); // Safe
logger.error("Auth failed for: " + stringTokenizer); // Safe
logger.error("Auth failed for: " + authToken.substring(4) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(four) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(0,4) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(zero,four) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring((int)zeroS,(int)fourL) + "..."); // Safe
logger.error("Auth failed for: " + authToken.substring(1,5) + "..."); // $ Alert
logger.error("Auth failed for: " + authToken.substring(0,8) + "..."); // $ Alert
}
// Tests for false positive exclusions: variables with "token" or "secret" in the name
// that do not hold sensitive data.
void testFalsePositiveExclusions(
String nextToken, String pageToken, String continuationToken, String cursorToken,
String tokenType, String tokenEndpoint, String tokenCount, String tokenUrl,
String tokenIndex, String tokenLength, String tokenName, String tokenId,
String secretName, String secretId, String secretVersion, String secretArn,
String secretPath, String secretType, String secretQuestion,
String secretManager, String secretProperties
) {
Logger logger = null;
// Pagination/iteration tokens (e.g., AWS SDK, GCP, Azure pagination cursors)
logger.info("cursor: " + nextToken); // Safe
logger.info("cursor: " + pageToken); // Safe
logger.info("cursor: " + continuationToken); // Safe
logger.info("cursor: " + cursorToken); // Safe
// Token metadata (e.g., OAuth token type, OIDC discovery endpoint)
logger.info("type: " + tokenType); // Safe
logger.info("endpoint: " + tokenEndpoint); // Safe
logger.info("count: " + tokenCount); // Safe
logger.info("url: " + tokenUrl); // Safe
logger.info("index: " + tokenIndex); // Safe
logger.info("length: " + tokenLength); // Safe
logger.info("name: " + tokenName); // Safe
logger.info("id: " + tokenId); // Safe
// Secret metadata (e.g., K8s secret name, AWS Secrets Manager identifiers)
logger.info("name: " + secretName); // Safe
logger.info("id: " + secretId); // Safe
logger.info("version: " + secretVersion); // Safe
logger.info("arn: " + secretArn); // Safe
logger.info("path: " + secretPath); // Safe
logger.info("type: " + secretType); // Safe
logger.info("question: " + secretQuestion); // Safe
logger.info("manager: " + secretManager); // Safe
logger.info("properties: " + secretProperties); // Safe
}
// These should still be flagged as sensitive
void testTruePositives(String accessToken, String clientSecret, String apiSecret,
String sessionToken, String bearerToken, String secretKey,
String refreshToken, String secretValue) {
Logger logger = null;
logger.info("token: " + accessToken); // $ Alert
logger.info("secret: " + clientSecret); // $ Alert
logger.info("secret: " + apiSecret); // $ Alert
logger.info("token: " + sessionToken); // $ Alert
logger.info("token: " + bearerToken); // $ Alert
logger.info("key: " + secretKey); // $ Alert
logger.info("token: " + refreshToken); // $ Alert
logger.info("value: " + secretValue); // $ Alert
}
}
Reference in New Issue View Git Blame Copy Permalink