Ruby: rb/clear-text-logging-sensitive-data - match on CFG nodes rather than AST nodes

alexrford · alexrford · commit 59ab384825cc · 2022-02-10T15:50:56.000Z
diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextLoggingCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/CleartextLoggingCustomizations.qll
@@ -210,15 +210,17 @@ module CleartextLogging {
     private string name;
 
     HashLiteralPasswordSource() {
-      exists(DataFlow::Node val, HashLiteral lit |
+      exists(DataFlow::Node val, CfgNodes::ExprNodes::HashLiteralCfgNode lit |
         name.regexpMatch(maybePassword()) and
         not name.regexpMatch(notSensitiveRegexp()) and
         // avoid safe values assigned to presumably unsafe names
         not val instanceof NonCleartextPassword and
         // hash = { name: val }
-        exists(Pair p | this.asExpr().getExpr() = lit and p = lit.getAKeyValuePair() |
+        exists(CfgNodes::ExprNodes::PairCfgNode p |
+          this.asExpr() = lit and p = lit.getAKeyValuePair()
+        |
           p.getKey().getConstantValue().getStringOrSymbol() = name and
-          p.getValue() = val.asExpr().getExpr()
+          p.getValue() = val.asExpr()
         )
       )
     }
diff --git a/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected b/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected
@@ -10,7 +10,9 @@ edges
 | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:23:33:23:40 | password |
 | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:26:18:26:34 | "pw: #{...}" |
 | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:28:26:28:33 | password |
+| logging.rb:30:8:30:55 | call to [] :  | logging.rb:37:20:37:23 | hsh1 :  |
 | logging.rb:34:1:34:15 | call to []= :  | logging.rb:39:20:39:34 | ...[...] |
+| logging.rb:37:20:37:23 | hsh1 :  | logging.rb:37:20:37:34 | ...[...] |
 | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex |
 | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex |
 | logging.rb:63:35:63:88 | call to sub :  | logging.rb:69:20:69:50 | password_masked_ineffective_sub |
@@ -31,7 +33,10 @@ nodes
 | logging.rb:23:33:23:40 | password | semmle.label | password |
 | logging.rb:26:18:26:34 | "pw: #{...}" | semmle.label | "pw: #{...}" |
 | logging.rb:28:26:28:33 | password | semmle.label | password |
+| logging.rb:30:8:30:55 | call to [] :  | semmle.label | call to [] :  |
 | logging.rb:34:1:34:15 | call to []= :  | semmle.label | call to []= :  |
+| logging.rb:37:20:37:23 | hsh1 :  | semmle.label | hsh1 :  |
+| logging.rb:37:20:37:34 | ...[...] | semmle.label | ...[...] |
 | logging.rb:39:20:39:34 | ...[...] | semmle.label | ...[...] |
 | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" :  |
 | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" :  | semmle.label | "a7e3747b19930d4f4b8181047194832f" :  |
@@ -58,7 +63,8 @@ subpaths
 | logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:23:33:23:40 | password | Sensitive data returned by $@ is logged here. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
 | logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:26:18:26:34 | "pw: #{...}" | Sensitive data returned by $@ is logged here. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
 | logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:28:26:28:33 | password | Sensitive data returned by $@ is logged here. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
-| logging.rb:39:20:39:34 | ...[...] | logging.rb:34:1:34:15 | call to []= :  | logging.rb:39:20:39:34 | ...[...] | Sensitive data returned by $@ is logged here. | logging.rb:34:1:34:15 | call to []= | an write to password |
+| logging.rb:37:20:37:34 | ...[...] | logging.rb:30:8:30:55 | call to [] :  | logging.rb:37:20:37:34 | ...[...] | Sensitive data returned by $@ is logged here. | logging.rb:30:8:30:55 | call to [] | an write to password |
+| logging.rb:39:20:39:34 | ...[...] | logging.rb:34:1:34:15 | call to []= :  | logging.rb:39:20:39:34 | ...[...] | Sensitive data returned by $@ is logged here. | logging.rb:34:1:34:15 | call to []= | a write to password |
 | logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:63:35:63:88 | call to sub :  | logging.rb:69:20:69:50 | password_masked_ineffective_sub | Sensitive data returned by $@ is logged here. | logging.rb:63:35:63:88 | call to sub | an assignment to password_masked_ineffective_sub |
 | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:65:36:65:86 | call to gsub :  | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | Sensitive data returned by $@ is logged here. | logging.rb:65:36:65:86 | call to gsub | an assignment to password_masked_ineffective_gsub |
 | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | Sensitive data returned by $@ is logged here. | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex |
