Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2a2f21d

Browse files
alexrfordalexrford
committed
Ruby: configsig rb/clear-text-logging-sensitive-data
1 parent ce35d69 commit 2a2f21d

2 files changed

Lines changed: 28 additions & 11 deletions

File tree

ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll

Lines changed: 25 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,33 +2,51 @@
22
* Provides a taint-tracking configuration for "Clear-text logging of sensitive information".
33
*
44
* Note, for performance reasons: only import this file if
5-
* `CleartextLogging::Configuration` is needed, otherwise
5+
* `CleartextLoggingFlow` is needed, otherwise
66
* `CleartextLoggingCustomizations` should be imported instead.
77
*/
88

99
private import codeql.ruby.AST
1010
private import codeql.ruby.DataFlow
1111
private import codeql.ruby.TaintTracking
1212
import CleartextLoggingCustomizations::CleartextLogging
13-
private import CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
13+
private import CleartextLoggingCustomizations::CleartextLogging as CL
1414

1515
/**
1616
* A taint-tracking configuration for detecting "Clear-text logging of sensitive information".
17+
* DEPRECATED: Use `CleartextLoggingFlow` instead
1718
*/
18-
class Configuration extends TaintTracking::Configuration {
19+
deprecated class Configuration extends TaintTracking::Configuration {
1920
Configuration() { this = "CleartextLogging" }
2021

21-
override predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }
22+
override predicate isSource(DataFlow::Node source) { source instanceof CL::Source }
2223

23-
override predicate isSink(DataFlow::Node sink) { sink instanceof CleartextLogging::Sink }
24+
override predicate isSink(DataFlow::Node sink) { sink instanceof CL::Sink }
2425

2526
override predicate isSanitizer(DataFlow::Node node) {
2627
super.isSanitizer(node)
2728
or
28-
node instanceof CleartextLogging::Sanitizer
29+
node instanceof CL::Sanitizer
2930
}
3031

3132
override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
32-
CleartextLogging::isAdditionalTaintStep(nodeFrom, nodeTo)
33+
CL::isAdditionalTaintStep(nodeFrom, nodeTo)
3334
}
3435
}
36+
37+
private module Config implements DataFlow::ConfigSig {
38+
predicate isSource(DataFlow::Node source) { source instanceof CL::Source }
39+
40+
predicate isSink(DataFlow::Node sink) { sink instanceof CL::Sink }
41+
42+
predicate isBarrier(DataFlow::Node node) { node instanceof CL::Sanitizer }
43+
44+
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
45+
CL::isAdditionalTaintStep(nodeFrom, nodeTo)
46+
}
47+
}
48+
49+
/**
50+
* Taint-tracking for detecting "Clear-text logging of sensitive information".
51+
*/
52+
module CleartextLoggingFlow = TaintTracking::Global<Config>;

ruby/ql/src/queries/security/cwe-312/CleartextLogging.ql

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,9 @@
1515

1616
import codeql.ruby.AST
1717
import codeql.ruby.security.CleartextLoggingQuery
18-
import codeql.ruby.DataFlow
19-
import DataFlow::PathGraph
18+
import CleartextLoggingFlow::PathGraph
2019

21-
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
22-
where config.hasFlowPath(source, sink)
20+
from CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink
21+
where CleartextLoggingFlow::flowPath(source, sink)
2322
select sink.getNode(), source, sink, "This logs sensitive data returned by $@ as clear text.",
2423
source.getNode(), source.getNode().(Source).describe()

0 commit comments

Comments
 (0)