Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Rust: Recognize more sensitive data sources #19470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Rust: Recognize more sensitive data sources #19470

wants to merge 6 commits into from

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented May 9, 2025

Improve Rust sensitive data analysis:

  • add test cases for additional kinds of sensitive data (loosely based on initial suggestions from copilot)
  • add test cases for additional kinds of not sensitive data (after experimenting with ^)
  • consider more kinds of Rust language constructs for potentially sensitive data (fields, qualifiers, variant calls)

What I haven't done here is improve the heuristics themselves to catch more kinds of sensitive data such as those in the new tests. That change will affect all languages, so I'd rather do it in a separate PR following this one.

TODO:

  • review changes on DCA
  • check performance (a small cost is to be expected here)

@Copilot Copilot AI review requested due to automatic review settings May 9, 2025 12:59
@geoffw0 geoffw0 added the no-change-note-required This PR does not need a change note label May 9, 2025
@geoffw0 geoffw0 requested a review from a team as a code owner May 9, 2025 12:59
@geoffw0 geoffw0 added the Rust Pull requests that update Rust code label May 9, 2025
Copilot
Copilot AI reviewed May 9, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances Rust sensitive data analysis by expanding test coverage for various sensitive and non-sensitive patterns and by extending the CodeQL model to recognize enum variants and field accesses as potential sensitive sources.

  • Added new test cases in test.rs for additional sensitive data identifiers (e.g., MFA, backup codes, device info, private info) and corresponding non-sensitive examples.
  • Extended SensitiveData.qll with SensitiveDataVariant, SensitiveDataVariantCall, and SensitiveFieldAccess to capture enum variant calls and field accesses.
  • Left heuristic logic unchanged, deferring improvements to a follow-up PR.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
rust/ql/test/library-tests/sensitivedata/test.rs Expanded tests for more Rust constructs and data patterns (fields, qualifiers, variants)
rust/ql/lib/codeql/rust/security/SensitiveData.qll Added classes to model enum variants, variant calls, and field accesses as sensitive
Comments suppressed due to low confidence (2)

rust/ql/test/library-tests/sensitivedata/test.rs:68

  • [nitpick] The variable name passwordFile uses camelCase; prefer snake_case (e.g., password_file) for consistency with Rust naming conventions.
sink(passwordFile); // $ SPURIOUS: sensitive=password

rust/ql/test/library-tests/sensitivedata/test.rs:140

  • [nitpick] Field name deviceApiToken uses camelCase; prefer snake_case (device_api_token) to align with Rust community style.
deviceApiToken: String,

@geoffw0 geoffw0 changed the title Moresensitive Rust: Recognize more sensitive data sources May 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@geoffw0