Merge pull request #9127 from atorralba/atorralba/sensitive-info-log-improvs

atorralba · web-flow · commit 168a184602fc · 2022-05-13T16:57:32.000+02:00
Java: Sensitive Info Log query improvements
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -4,14 +4,15 @@ import java
 private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.SensitiveActions
+import semmle.code.java.frameworks.android.Compose
 import DataFlow
 
-/** A variable that may hold sensitive information, judging by its name. * */
+/** A variable that may hold sensitive information, judging by its name. */
 class CredentialExpr extends Expr {
   CredentialExpr() {
     exists(Variable v | this = v.getAnAccess() |
-      v.getName().regexpMatch([getCommonSensitiveInfoRegex(), "(?i).*(username).*"]) and
-      not v.isFinal()
+      v.getName().regexpMatch(getCommonSensitiveInfoRegex()) and
+      not this instanceof CompileTimeConstantExpr
     )
   }
 }
@@ -23,4 +24,8 @@ class SensitiveLoggerConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
 
   override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "logging") }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer.asExpr() instanceof LiveLiteral
+  }
 }
diff --git a/java/ql/src/change-notes/2022-05-12-sensitive-log-improvements.md b/java/ql/src/change-notes/2022-05-12-sensitive-log-improvements.md
@@ -0,0 +1,7 @@
+---
+category: minorAnalysis
+---
+* Query `java/sensitive-log` has received several improvements.
+  * It no longer considers usernames as sensitive information.
+  * The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
+  * A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.
diff --git a/java/ql/test/query-tests/security/CWE-532/Test.java b/java/ql/test/query-tests/security/CWE-532/Test.java
@@ -5,12 +5,18 @@ void test(String password) {
         Logger logger = null;
 
         logger.info("User's password is: " + password); // $ hasTaintFlow
-    }   
+    }
 
     void test2(String authToken) {
         Logger logger = null;
 
-        logger.error("Auth failed for: " + authToken); // $ hasTaintFlow 
+        logger.error("Auth failed for: " + authToken); // $ hasTaintFlow
+    }
+
+    void test3(String username) {
+        Logger logger = null;
+
+        logger.error("Auth failed for: " + username); // Safe
     }
 
-}
+}
