Update qldoc

luchua-bc · luchua-bc · commit 3d26e5b8a430 · 2021-01-06T12:41:00.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.qhelp b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.qhelp
@@ -2,17 +2,15 @@
 <qhelp>
 
   <overview>
-    <p>Sensitive information like user passwords is transmitted within the query string of the requested URL in GET requests. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.</p>
-
-    <p>Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if an application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.</p>
+    <p>Sensitive information such as user passwords should not be transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL therefore increases the risk that they will be captured by an attacker.</p>
   </overview>
 
   <recommendation>
-    <p>Use HTTP POST to send sensitive information either in web forms or REST web services calls.</p>
+    <p>Use HTTP POST to send sensitive information as part of the request body; for example, as form data.</p>
   </recommendation>
 
   <example>
-    <p>The following example shows two ways of sending sensitive information. In the 'BAD' case, password is transmitted using the GET method. In the 'GOOD' case, the password is transmitted using the POST method.</p>
+    <p>The following example shows two ways of sending sensitive information. In the 'BAD' case, a password is transmitted using the GET method. In the 'GOOD' case, the password is transmitted using the POST method.</p>
     <sample src="SensitiveGetQuery.java" />
   </example>
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
@@ -35,7 +35,7 @@ class GetHttpRequestSource extends DataFlow::ExprNode {
   }
 }
 
-/** Taint configuration of using GET requests with sensitive query strings. */
+/** Taint configuration tracking flow from the `ServletRequest` of a GET request handler to an expression whose name suggests it holds security-sensitive data. */
 class SensitiveGetQueryConfiguration extends TaintTracking::Configuration {
   SensitiveGetQueryConfiguration() { this = "SensitiveGetQueryConfiguration" }
 
@@ -52,5 +52,6 @@ class SensitiveGetQueryConfiguration extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfiguration c
 where c.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "$@ uses GET request method with sensitive information.",
-  source.getNode(), "sensitive query string"
+select sink.getNode(), source, sink,
+  "$@ uses the GET request method to transmit sensitive information.", source.getNode(),
+  "This request"
diff --git a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected
@@ -31,11 +31,11 @@ nodes
 | SensitiveGetQuery.java:17:40:17:54 | password : String | semmle.label | password : String |
 | SensitiveGetQuery.java:18:61:18:68 | password | semmle.label | password |
 #select
-| SensitiveGetQuery2.java:15:29:15:36 | password | SensitiveGetQuery2.java:12:13:12:19 | request : HttpServletRequest | SensitiveGetQuery2.java:15:29:15:36 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery2.java:12:13:12:19 | request | sensitive query string |
-| SensitiveGetQuery2.java:19:61:19:68 | password | SensitiveGetQuery2.java:12:13:12:19 | request : HttpServletRequest | SensitiveGetQuery2.java:19:61:19:68 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery2.java:12:13:12:19 | request | sensitive query string |
-| SensitiveGetQuery3.java:13:57:13:64 | password | SensitiveGetQuery3.java:11:41:11:47 | request : HttpServletRequest | SensitiveGetQuery3.java:13:57:13:64 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery3.java:11:41:11:47 | request | sensitive query string |
-| SensitiveGetQuery3.java:13:57:13:64 | password | SensitiveGetQuery3.java:12:41:12:47 | request : HttpServletRequest | SensitiveGetQuery3.java:13:57:13:64 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery3.java:12:41:12:47 | request | sensitive query string |
-| SensitiveGetQuery.java:14:29:14:36 | password | SensitiveGetQuery.java:11:21:11:27 | request : HttpServletRequest | SensitiveGetQuery.java:14:29:14:36 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery.java:11:21:11:27 | request | sensitive query string |
-| SensitiveGetQuery.java:14:29:14:36 | password | SensitiveGetQuery.java:12:21:12:27 | request : HttpServletRequest | SensitiveGetQuery.java:14:29:14:36 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery.java:12:21:12:27 | request | sensitive query string |
-| SensitiveGetQuery.java:18:61:18:68 | password | SensitiveGetQuery.java:11:21:11:27 | request : HttpServletRequest | SensitiveGetQuery.java:18:61:18:68 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery.java:11:21:11:27 | request | sensitive query string |
-| SensitiveGetQuery.java:18:61:18:68 | password | SensitiveGetQuery.java:12:21:12:27 | request : HttpServletRequest | SensitiveGetQuery.java:18:61:18:68 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery.java:12:21:12:27 | request | sensitive query string |
+| SensitiveGetQuery2.java:15:29:15:36 | password | SensitiveGetQuery2.java:12:13:12:19 | request : HttpServletRequest | SensitiveGetQuery2.java:15:29:15:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery2.java:12:13:12:19 | request | This request |
+| SensitiveGetQuery2.java:19:61:19:68 | password | SensitiveGetQuery2.java:12:13:12:19 | request : HttpServletRequest | SensitiveGetQuery2.java:19:61:19:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery2.java:12:13:12:19 | request | This request |
+| SensitiveGetQuery3.java:13:57:13:64 | password | SensitiveGetQuery3.java:11:41:11:47 | request : HttpServletRequest | SensitiveGetQuery3.java:13:57:13:64 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery3.java:11:41:11:47 | request | This request |
+| SensitiveGetQuery3.java:13:57:13:64 | password | SensitiveGetQuery3.java:12:41:12:47 | request : HttpServletRequest | SensitiveGetQuery3.java:13:57:13:64 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery3.java:12:41:12:47 | request | This request |
+| SensitiveGetQuery.java:14:29:14:36 | password | SensitiveGetQuery.java:11:21:11:27 | request : HttpServletRequest | SensitiveGetQuery.java:14:29:14:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:11:21:11:27 | request | This request |
+| SensitiveGetQuery.java:14:29:14:36 | password | SensitiveGetQuery.java:12:21:12:27 | request : HttpServletRequest | SensitiveGetQuery.java:14:29:14:36 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:12:21:12:27 | request | This request |
+| SensitiveGetQuery.java:18:61:18:68 | password | SensitiveGetQuery.java:11:21:11:27 | request : HttpServletRequest | SensitiveGetQuery.java:18:61:18:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:11:21:11:27 | request | This request |
+| SensitiveGetQuery.java:18:61:18:68 | password | SensitiveGetQuery.java:12:21:12:27 | request : HttpServletRequest | SensitiveGetQuery.java:18:61:18:68 | password | $@ uses the GET request method to transmit sensitive information. | SensitiveGetQuery.java:12:21:12:27 | request | This request |

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ class GetHttpRequestSource extends DataFlow::ExprNode {`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`
`38`		`-/** Taint configuration of using GET requests with sensitive query strings. */`
	`38`	+/** Taint configuration tracking flow from the `ServletRequest` of a GET request handler to an expression whose name suggests it holds security-sensitive data. */
`39`	`39`	`class SensitiveGetQueryConfiguration extends TaintTracking::Configuration {`
`40`	`40`	`SensitiveGetQueryConfiguration() { this = "SensitiveGetQueryConfiguration" }`
`41`	`41`
`@@ -52,5 +52,6 @@ class SensitiveGetQueryConfiguration extends TaintTracking::Configuration {`
`52`	`52`
`53`	`53`	`from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfiguration c`
`54`	`54`	`where c.hasFlowPath(source, sink)`
`55`		`-select sink.getNode(), source, sink, "$@ uses GET request method with sensitive information.",`
`56`		`- source.getNode(), "sensitive query string"`
	`55`	`+select sink.getNode(), source, sink,`
	`56`	`+ "$@ uses the GET request method to transmit sensitive information.", source.getNode(),`
	`57`	`+ "This request"`