зеркало из https://github.com/github/codeql.git
address review feedback on MaskingReplacer
This commit is contained in:
Erik Krogh Kristensen
Родитель
4ec2070e48
Коммит
8ff515a58d
|
|
@ -34,18 +34,18 @@ module CleartextLogging {
|
|||
abstract class Barrier extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A call to `.replace()` that seems to mask
|
||||
* A call to `.replace()` that seems to mask sensitive information.
|
||||
*/
|
||||
class MaskingReplacer extends Barrier, DataFlow::MethodCallNode {
|
||||
MaskingReplacer() {
|
||||
this.getCalleeName() = "replace" and
|
||||
exists(RegExpLiteral reg|
|
||||
exists(RegExpLiteral reg |
|
||||
reg = this.getArgument(0).getALocalSource().asExpr() and
|
||||
reg.getFlags().regexpMatch("(?i).*g.*") and
|
||||
reg.getRoot().getRawValue().regexpMatch(".*\\..*")
|
||||
reg.isGlobal() and
|
||||
any(RegExpDot term).getLiteral() = reg
|
||||
)
|
||||
and
|
||||
this.getArgument(1).asExpr() instanceof StringLiteral
|
||||
exists(this.getArgument(1).getStringValue())
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -120,10 +120,14 @@ nodes
|
|||
| passwords.js:156:17:156:27 | process.env |
|
||||
| passwords.js:156:17:156:27 | process.env |
|
||||
| passwords.js:156:17:156:27 | process.env |
|
||||
| passwords.js:158:17:158:27 | process.env |
|
||||
| passwords.js:158:17:158:27 | process.env |
|
||||
| passwords.js:158:17:158:42 | process ... "bar"] |
|
||||
| passwords.js:158:17:158:42 | process ... "bar"] |
|
||||
| passwords.js:163:14:163:21 | password |
|
||||
| passwords.js:163:14:163:21 | password |
|
||||
| passwords.js:163:14:163:41 | passwor ... g, "*") |
|
||||
| passwords.js:163:14:163:41 | passwor ... g, "*") |
|
||||
| passwords.js:164:14:164:21 | password |
|
||||
| passwords.js:164:14:164:21 | password |
|
||||
| passwords.js:164:14:164:42 | passwor ... g, "*") |
|
||||
| passwords.js:164:14:164:42 | passwor ... g, "*") |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password |
|
||||
|
|
@ -260,6 +264,14 @@ edges
|
|||
| passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
|
||||
| passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
|
||||
| passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env |
|
||||
| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
|
||||
| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
|
||||
| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
|
||||
| passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") |
|
||||
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
|
||||
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
|
||||
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
|
||||
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
|
||||
| passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
|
||||
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
|
||||
|
|
@ -301,6 +313,8 @@ edges
|
|||
| passwords.js:142:26:142:34 | arguments | passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:150:21:150:31 | process.env | process environment |
|
||||
| passwords.js:142:26:142:34 | arguments | passwords.js:152:33:152:43 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:152:33:152:43 | process.env | process environment |
|
||||
| passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | Sensitive data returned by $@ is logged here. | passwords.js:156:17:156:27 | process.env | process environment |
|
||||
| passwords.js:163:14:163:41 | passwor ... g, "*") | passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:163:14:163:21 | password | an access to password |
|
||||
| passwords.js:164:14:164:42 | passwor ... g, "*") | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:164:14:164:21 | password | an access to password |
|
||||
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
|
||||
| passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
|
||||
| passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
|
||||
|
|
|
|||
|
|
@ -157,3 +157,9 @@ var Util = require('util');
|
|||
console.log(process.env.PATH); // OK.
|
||||
console.log(process.env["foo" + "bar"]); // OK.
|
||||
});
|
||||
|
||||
(function () {
|
||||
console.log(password.replace(/./g, "*")); // OK!
|
||||
console.log(password.replace(/\./g, "*")); // NOT OK!
|
||||
console.log(password.replace(/foo/g, "*")); // NOT OK!
|
||||
})();
|
||||
Загрузка…
Ссылка в новой задаче