Ruby: Add a test that shows FP/FN for clear text logging query

hvitved · hvitved · commit ae10e6e08fca · 2023-03-16T14:38:45.000+01:00
diff --git a/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected b/ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected
@@ -10,20 +10,22 @@ edges
 | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:23:33:23:40 | password |
 | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:26:18:26:34 | "pw: #{...}" |
 | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:28:26:28:33 | password |
-| logging.rb:30:8:30:55 | call to [] :  | logging.rb:37:20:37:23 | hsh1 :  |
-| logging.rb:34:1:34:15 | call to []= :  | logging.rb:39:20:39:34 | ...[...] |
-| logging.rb:37:20:37:23 | hsh1 :  | logging.rb:37:20:37:34 | ...[...] |
-| logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:63:35:63:65 | password_masked_ineffective_sub :  |
-| logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex |
-| logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:65:36:65:67 | password_masked_ineffective_gsub :  |
-| logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex |
-| logging.rb:63:35:63:65 | password_masked_ineffective_sub :  | logging.rb:63:35:63:88 | call to sub :  |
-| logging.rb:63:35:63:88 | call to sub :  | logging.rb:69:20:69:50 | password_masked_ineffective_sub |
-| logging.rb:65:36:65:67 | password_masked_ineffective_gsub :  | logging.rb:65:36:65:86 | call to gsub :  |
-| logging.rb:65:36:65:86 | call to gsub :  | logging.rb:71:20:71:51 | password_masked_ineffective_gsub |
-| logging.rb:77:9:77:16 | password :  | logging.rb:79:15:79:22 | password |
-| logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" :  | logging.rb:83:5:83:16 | password_arg :  |
-| logging.rb:83:5:83:16 | password_arg :  | logging.rb:77:9:77:16 | password :  |
+| logging.rb:30:8:30:55 | call to [] :  | logging.rb:38:20:38:23 | hsh1 :  |
+| logging.rb:30:8:30:55 | call to [] :  | logging.rb:44:20:44:23 | hsh1 :  |
+| logging.rb:34:1:34:15 | call to []= :  | logging.rb:40:20:40:34 | ...[...] |
+| logging.rb:38:20:38:23 | hsh1 :  | logging.rb:38:20:38:34 | ...[...] |
+| logging.rb:44:20:44:23 | hsh1 :  | logging.rb:44:20:44:29 | ...[...] |
+| logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:68:35:68:65 | password_masked_ineffective_sub :  |
+| logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex |
+| logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:70:36:70:67 | password_masked_ineffective_gsub :  |
+| logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex |
+| logging.rb:68:35:68:65 | password_masked_ineffective_sub :  | logging.rb:68:35:68:88 | call to sub :  |
+| logging.rb:68:35:68:88 | call to sub :  | logging.rb:74:20:74:50 | password_masked_ineffective_sub |
+| logging.rb:70:36:70:67 | password_masked_ineffective_gsub :  | logging.rb:70:36:70:86 | call to gsub :  |
+| logging.rb:70:36:70:86 | call to gsub :  | logging.rb:76:20:76:51 | password_masked_ineffective_gsub |
+| logging.rb:82:9:82:16 | password :  | logging.rb:84:15:84:22 | password |
+| logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" :  | logging.rb:88:5:88:16 | password_arg :  |
+| logging.rb:88:5:88:16 | password_arg :  | logging.rb:82:9:82:16 | password :  |
 nodes
 | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | semmle.label | "043697b96909e03ca907599d6420555f" :  |
 | logging.rb:6:20:6:27 | password | semmle.label | password |
@@ -39,25 +41,27 @@ nodes
 | logging.rb:28:26:28:33 | password | semmle.label | password |
 | logging.rb:30:8:30:55 | call to [] :  | semmle.label | call to [] :  |
 | logging.rb:34:1:34:15 | call to []= :  | semmle.label | call to []= :  |
-| logging.rb:37:20:37:23 | hsh1 :  | semmle.label | hsh1 :  |
-| logging.rb:37:20:37:34 | ...[...] | semmle.label | ...[...] |
-| logging.rb:39:20:39:34 | ...[...] | semmle.label | ...[...] |
-| logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" :  | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" :  |
-| logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" :  |
-| logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" :  | semmle.label | "a7e3747b19930d4f4b8181047194832f" :  |
-| logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" :  | semmle.label | "a7e3747b19930d4f4b8181047194832f" :  |
-| logging.rb:63:35:63:65 | password_masked_ineffective_sub :  | semmle.label | password_masked_ineffective_sub :  |
-| logging.rb:63:35:63:88 | call to sub :  | semmle.label | call to sub :  |
-| logging.rb:65:36:65:67 | password_masked_ineffective_gsub :  | semmle.label | password_masked_ineffective_gsub :  |
-| logging.rb:65:36:65:86 | call to gsub :  | semmle.label | call to gsub :  |
-| logging.rb:69:20:69:50 | password_masked_ineffective_sub | semmle.label | password_masked_ineffective_sub |
-| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | semmle.label | password_masked_ineffective_gsub |
-| logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | semmle.label | password_masked_ineffective_sub_ex |
-| logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | semmle.label | password_masked_ineffective_gsub_ex |
-| logging.rb:77:9:77:16 | password :  | semmle.label | password :  |
-| logging.rb:79:15:79:22 | password | semmle.label | password |
-| logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" :  | semmle.label | "65f2950df2f0e2c38d7ba2ccca767291" :  |
-| logging.rb:83:5:83:16 | password_arg :  | semmle.label | password_arg :  |
+| logging.rb:38:20:38:23 | hsh1 :  | semmle.label | hsh1 :  |
+| logging.rb:38:20:38:34 | ...[...] | semmle.label | ...[...] |
+| logging.rb:40:20:40:34 | ...[...] | semmle.label | ...[...] |
+| logging.rb:44:20:44:23 | hsh1 :  | semmle.label | hsh1 :  |
+| logging.rb:44:20:44:29 | ...[...] | semmle.label | ...[...] |
+| logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" :  | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" :  |
+| logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" :  |
+| logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" :  | semmle.label | "a7e3747b19930d4f4b8181047194832f" :  |
+| logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" :  | semmle.label | "a7e3747b19930d4f4b8181047194832f" :  |
+| logging.rb:68:35:68:65 | password_masked_ineffective_sub :  | semmle.label | password_masked_ineffective_sub :  |
+| logging.rb:68:35:68:88 | call to sub :  | semmle.label | call to sub :  |
+| logging.rb:70:36:70:67 | password_masked_ineffective_gsub :  | semmle.label | password_masked_ineffective_gsub :  |
+| logging.rb:70:36:70:86 | call to gsub :  | semmle.label | call to gsub :  |
+| logging.rb:74:20:74:50 | password_masked_ineffective_sub | semmle.label | password_masked_ineffective_sub |
+| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | semmle.label | password_masked_ineffective_gsub |
+| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | semmle.label | password_masked_ineffective_sub_ex |
+| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | semmle.label | password_masked_ineffective_gsub_ex |
+| logging.rb:82:9:82:16 | password :  | semmle.label | password :  |
+| logging.rb:84:15:84:22 | password | semmle.label | password |
+| logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" :  | semmle.label | "65f2950df2f0e2c38d7ba2ccca767291" :  |
+| logging.rb:88:5:88:16 | password_arg :  | semmle.label | password_arg :  |
 subpaths
 #select
 | logging.rb:6:20:6:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:6:20:6:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
@@ -71,13 +75,14 @@ subpaths
 | logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:23:33:23:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
 | logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:26:18:26:34 | "pw: #{...}" | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
 | logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" :  | logging.rb:28:26:28:33 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
-| logging.rb:37:20:37:34 | ...[...] | logging.rb:30:8:30:55 | call to [] :  | logging.rb:37:20:37:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:8:30:55 | call to [] | a write to password |
-| logging.rb:39:20:39:34 | ...[...] | logging.rb:34:1:34:15 | call to []= :  | logging.rb:39:20:39:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:1:34:15 | call to []= | a write to password |
-| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:69:20:69:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub |
-| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:63:35:63:88 | call to sub :  | logging.rb:69:20:69:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:63:35:63:88 | call to sub | an assignment to password_masked_ineffective_sub |
-| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub |
-| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:65:36:65:86 | call to gsub :  | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:65:36:65:86 | call to gsub | an assignment to password_masked_ineffective_gsub |
-| logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex |
-| logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex |
-| logging.rb:79:15:79:22 | password | logging.rb:79:15:79:22 | password | logging.rb:79:15:79:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:79:15:79:22 | password | a parameter password |
-| logging.rb:79:15:79:22 | password | logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" :  | logging.rb:79:15:79:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg |
+| logging.rb:38:20:38:34 | ...[...] | logging.rb:30:8:30:55 | call to [] :  | logging.rb:38:20:38:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:8:30:55 | call to [] | a write to password |
+| logging.rb:40:20:40:34 | ...[...] | logging.rb:34:1:34:15 | call to []= :  | logging.rb:40:20:40:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:1:34:15 | call to []= | a write to password |
+| logging.rb:44:20:44:29 | ...[...] | logging.rb:30:8:30:55 | call to [] :  | logging.rb:44:20:44:29 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:8:30:55 | call to [] | a write to password |
+| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub |
+| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:68:35:68:88 | call to sub :  | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:68:35:68:88 | call to sub | an assignment to password_masked_ineffective_sub |
+| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub |
+| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:70:36:70:86 | call to gsub :  | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:70:36:70:86 | call to gsub | an assignment to password_masked_ineffective_gsub |
+| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" :  | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex |
+| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" :  | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex |
+| logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:84:15:84:22 | password | a parameter password |
+| logging.rb:84:15:84:22 | password | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" :  | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg |
diff --git a/ruby/ql/test/query-tests/security/cwe-312/logging.rb b/ruby/ql/test/query-tests/security/cwe-312/logging.rb
@@ -32,11 +32,16 @@
 # GOOD: no backwards flow
 stdout_logger.info hsh2[:password]
 hsh2[:password] = "beeda625d7306b45784d91ea0336e201"
+hsh3 = hsh2
 
 # BAD: password logged as plaintext
 stdout_logger.info hsh1[:password]
 # BAD: password logged as plaintext
 stdout_logger.info hsh2[:password]
+# BAD: password logged as plaintext
+stdout_logger.info hsh3[:password]
+# GOOD: not a password
+stdout_logger.info hsh1[:foo]
 
 password_masked_sub = "ca497451f5e883662fb1a37bc9ec7838"
 password_masked_sub_ex = "ca497451f5e883662fb1a37bc9ec7838"
