hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ea4c2e432100cb15e4ad5448d02c36153a6f9f95
codeql/python/ql/test/query-tests/Security/CWE-312-CleartextLogging/test.py
Rasmus Wriedt Larsen 9342e3ba76 Python: Enable new test 
But look at all those elements from getpass.py implementation :(
2022-11-22 13:59:59 +01:00

82 lines
2.0 KiB
Python
Raw Blame History

import logging
import sys
LOGGER = logging.getLogger("LOGGER")
def get_logger():
return LOGGER
def get_password():
return "<PASSWORD>"
def get_cert():
return "<CERT>"
def log_password():
password = get_password()
logging.info("logging.info Password '%s'", password) # NOT OK
LOGGER.log(logging.INFO, "LOGGER.log Password '%s'", password) # NOT OK
logging.root.info("logging.root.info Password '%s'", password) # NOT OK
# name of logger variable should not matter
foo = LOGGER
foo.info("foo.info Password '%s'", password) # NOT OK
# return value from function
get_logger().info("get_logger().info Password '%s'", password) # NOT OK
def log_cert():
logging.debug("Cert=%s", get_cert()) # NOT OK
def print_password():
print(get_password()) # NOT OK
sys.stdout.write(get_password()) # NOT OK
sys.stderr.write(get_password()) # NOT OK
import getpass
x = getpass.getpass()
print(x) # NOT OK
def FPs(account, account_id):
# we assume that any account parameter is sensitive (id/username)
# https://github.com/github/codeql/issues/6363
print(account) # OK
# https://github.com/github/codeql/issues/6927
arn = f"arn:aws:iam::{account_id}:role/cfripper-access"
logging.info(f"Preparing to assume role: {arn}") # OK
# Harmless UUIDs
# https://github.com/github/codeql/issues/6726
# https://github.com/github/codeql/issues/7497
x = generate_uuid4()
print(x) # OK
# username not considered sensitive
# https://github.com/github/codeql/issues/7116
logging.error("Misc Exception. User %s: %s", request.user.username)
# dictionary taint-flow cross-talk
# https://github.com/github/codeql/issues/6380
import settings
config = {
"sleep_timer": 5,
"password": settings.password
}
print(config["sleep_timer"]) # OK
if __name__ == "__main__":
logging.basicConfig(level=logging.DEBUG)
log_password()
log_cert()
print_password()
Reference in New Issue View Git Blame Copy Permalink