Ruby: Add CleartextLogging.qhelp

alexrford · alexrford · commit 186623f878cf · 2022-01-28T17:24:56.000Z
diff --git a/ruby/ql/src/queries/security/cwe-312/CleartextLogging.qhelp b/ruby/ql/src/queries/security/cwe-312/CleartextLogging.qhelp
@@ -0,0 +1,51 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Sensitive information that is stored unencrypted is accessible to an attacker
+who gains access to the storage.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Ensure that sensitive information is always encrypted before being stored.
+</p>
+<p>
+In general, decrypt sensitive information only at the point where it is
+necessary for it to be used in cleartext.
+</p>
+
+<p>
+
+Be aware that external processes often store the <code>standard
+out</code> and <code>standard error</code> streams of the application,
+causing logged sensitive information to be stored as well.
+
+</p>
+
+</recommendation>
+
+<example>
+<p>
+The following example code logs user credentials (in this case, their password)
+to <code>standard out</code> in plaintext:
+</p>
+<sample src="examples/CleartextLoggingBad.rb"/>
+<p>
+Instead, the credentials should be masked or redacted before logging:
+</p>
+<sample src="examples/CleartextLoggingGood.rb"/>
+</example>
+
+
+<references>
+
+<li>M. Dowd, J. McDonald and J. Schuhm, <i>The Art of Software Security Assessment</i>, 1st Edition, Chapter 2 - 'Common Vulnerabilities of Encryption', p. 43. Addison Wesley, 2006.</li>
+<li>M. Howard and D. LeBlanc, <i>Writing Secure Code</i>, 2nd Edition, Chapter 9 - 'Protecting Secret Data', p. 299. Microsoft, 2002.</li>
+
+</references>
+</qhelp>
diff --git a/ruby/ql/src/queries/security/cwe-312/examples/CleartextLoggingBad.rb b/ruby/ql/src/queries/security/cwe-312/examples/CleartextLoggingBad.rb
@@ -0,0 +1,10 @@
+require 'Logger'
+
+class UserSession
+  @@logger = Logger.new STDOUT
+
+  def login(username, password)
+    # ...
+    @@logger.info "login with password: #{password})"
+  end
+end
diff --git a/ruby/ql/src/queries/security/cwe-312/examples/CleartextLoggingGood.rb b/ruby/ql/src/queries/security/cwe-312/examples/CleartextLoggingGood.rb
@@ -0,0 +1,11 @@
+require 'Logger'
+
+class UserSession
+  @@logger = Logger.new STDOUT
+
+  def login(username, password)
+    # ...
+    password_escaped = password.sub(/.*/, "[redacted]")
+    @@logger.info "login with password: #{password_escaped})"
+  end
+end
