hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-25 03:13:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2ebb80b632b68789a0285dadb41d8d116cd1104f
codeql/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
Owen Mansel-Chan 22692b9d55 Simplify definition of source and improve QLDoc 
This is also slightly faster to evaluate (217s instead of 228s on apache/geode on my machine).
2024-02-16 16:47:41 +00:00

70 lines
2.6 KiB
Plaintext
Raw Blame History

/** Provides configurations for sensitive logging queries. */
import java
private import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.SensitiveActions
import semmle.code.java.frameworks.android.Compose
private import semmle.code.java.security.Sanitizers
/** A variable that may hold sensitive information, judging by its name. */
class VariableWithSensitiveName extends Variable {
VariableWithSensitiveName() { this.getName().regexpMatch(getCommonSensitiveInfoRegex()) }
}
/** A reference to a variable that may hold sensitive information, judging by its name. */
class CredentialExpr extends VarAccess {
CredentialExpr() {
this.getVariable() instanceof VariableWithSensitiveName and
not this instanceof CompileTimeConstantExpr
}
}
/** An instantiation of a (reflexive, transitive) subtype of `java.lang.reflect.Type`. */
private class TypeType extends RefType {
pragma[nomagic]
TypeType() {
this.getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.lang.reflect", "Type")
}
}
/**
* DEPRECATED: Use `SensitiveLoggerConfiguration` module instead.
*
* A data-flow configuration for identifying potentially-sensitive data flowing to a log output.
*/
deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configuration {
SensitiveLoggerConfiguration() { this = "SensitiveLoggerConfiguration" }
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "log-injection") }
override predicate isSanitizer(DataFlow::Node sanitizer) {
sanitizer.asExpr() instanceof LiveLiteral or
sanitizer.getType() instanceof PrimitiveType or
sanitizer.getType() instanceof BoxedType or
sanitizer.getType() instanceof NumberType or
sanitizer.getType() instanceof TypeType
}
override predicate isSanitizerIn(DataFlow::Node node) { this.isSource(node) }
}
/** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */
module SensitiveLoggerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
predicate isSink(DataFlow::Node sink) { sinkNode(sink, "log-injection") }
predicate isBarrier(DataFlow::Node sanitizer) {
sanitizer.asExpr() instanceof LiveLiteral or
sanitizer instanceof SimpleTypeSanitizer or
sanitizer.getType() instanceof TypeType
}
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}
module SensitiveLoggerFlow = TaintTracking::Global<SensitiveLoggerConfig>;
Reference in New Issue View Git Blame Copy Permalink