-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathSensitiveExposure.ql
More file actions
57 lines (46 loc) · 2.15 KB
/
SensitiveExposure.ql
File metadata and controls
57 lines (46 loc) · 2.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
/**
* @name Insertion of sensitive information into log files
* @description Writing sensitive information to log files can allow that
* information to be leaked to an attacker more easily.
* @kind path-problem
* @problem.severity warning
* @security-severity 7.5
* @precision medium
* @id js/cap-sensitive-log
* @tags security
* external/cwe/cwe-532
*/
import javascript
import advanced_security.javascript.frameworks.cap.CDS
import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
EntityReferenceFromEntities entityAccesses(string entityNamespace) {
entityNamespace = result.getEntitiesCallNamespace()
}
class SensitiveExposureFieldSource instanceof PropRead {
SensitiveAnnotatedAttribute cdlAttribute;
SensitiveAnnotatedEntity cdlEntity;
string namespace;
SensitiveExposureFieldSource() {
this = entityAccesses(namespace).getAPropertyRead() and
//field name is same as some cds declared field
this.getPropertyName() = cdlAttribute.getName() and
//and that field belongs to that cdlEntity in the cds
cdlEntity.(CdlEntity).getAttribute(cdlAttribute.getName()) = cdlAttribute and
//and the namespace is the same (fully qualified id match)
cdlEntity.(NamespacedEntity).getNamespace() = namespace
}
SensitiveAnnotatedAttribute getCdsField() { result = cdlAttribute }
string toString() { result = super.toString() }
}
module SensitiveLogExposureConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof SensitiveExposureFieldSource }
predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
}
module SensitiveLogExposureConfigFlow = TaintTracking::Global<SensitiveLogExposureConfig>;
import SensitiveLogExposureConfigFlow::PathGraph
from SensitiveLogExposureConfigFlow::PathNode source, SensitiveLogExposureConfigFlow::PathNode sink
where SensitiveLogExposureConfigFlow::flowPath(source, sink)
select sink, source, sink,
"Log entry depends on the $@ field which is annotated as potentially sensitive.",
source.getNode().(SensitiveExposureFieldSource).getCdsField(),
source.getNode().(SensitiveExposureFieldSource).getCdsField().getName()