-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathSensitiveExposureHeuristicSource.ql
More file actions
48 lines (39 loc) · 2.03 KB
/
SensitiveExposureHeuristicSource.ql
File metadata and controls
48 lines (39 loc) · 2.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/**
* @name Insertion of sensitive information into log files
* @description Writing heuristically sensitive information to log files can allow that
* information to be leaked to an attacker more easily.
* @kind path-problem
* @problem.severity warning
* @security-severity 7.5
* @precision low
* @id js/cap-sensitive-log-heurisitic-source
* @tags security
* external/cwe/cwe-532
*/
import javascript
import advanced_security.javascript.frameworks.cap.CDS
import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
private import semmle.javascript.security.dataflow.CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
module SensitiveLogExposureConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }
predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
CleartextLogging::isAdditionalTaintStep(src, trg)
}
predicate isBarrier(DataFlow::Node sink) { sink instanceof CleartextLogging::Barrier }
/**
* This predicate is an intentional cartesian product of any sink node and any content that represents a property.
* Normally Cartesian products are bad but in this case it is what we want, to capture all properties of objects that make their way to sinks.
*/
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
// Assume all properties of a logged object are themselves logged.
contents = DataFlow::ContentSet::anyProperty() and
isSink(node)
}
}
module SensitiveLogExposureFlow = TaintTracking::Global<SensitiveLogExposureConfig>;
import SensitiveLogExposureFlow::PathGraph
from SensitiveLogExposureFlow::PathNode source, SensitiveLogExposureFlow::PathNode sink
where SensitiveLogExposureFlow::flowPath(source, sink)
select sink, source, sink, "This logs sensitive data returned by $@ as clear text.",
source.getNode(), source.getNode().(CleartextLogging::Source).describe()