Python: ignore common words (certain/concert) as sensitive source

RasmusWL · RasmusWL · commit 5dc2bb717abc · 2022-06-22T11:05:05.000+02:00
diff --git a/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -96,10 +96,14 @@ module HeuristicNames {
    * Gets a regular expression that identifies strings that may indicate the presence of data
    * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters
    * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
+   *
+   * We also filter out common words like `certain` and `concert`, since otherwise these could
+   * be matched by the certificate regular expressions. Same for `accountable` (account), or
+   * `secretarial` (secret).
    */
   string notSensitiveRegexp() {
     result =
-      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|code)).*"
+      "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|code)|certain|concert|secretar|accountant|accountab).*"
   }
 
   /**
diff --git a/python/ql/test/experimental/dataflow/sensitive-data/test.py b/python/ql/test/experimental/dataflow/sensitive-data/test.py
@@ -58,8 +58,8 @@ def my_func(password): # $ SensitiveDataSource=password
 
 # FP where the `cert` in `uncertainty` makes us treat it like a certificate
 # https://github.com/github/codeql/issues/9632
-def my_other_func(uncertainty): # $ SPURIOUS: SensitiveDataSource=certificate
-    print(uncertainty) # $ SPURIOUS: SensitiveUse=certificate
+def my_other_func(uncertainty):
+    print(uncertainty)
 
 password = some_function() # $ SensitiveDataSource=password
 print(password) # $ SensitiveUse=password
