Skip to content

Commit ee01e9a

Browse files
authored
Merge pull request github#12554 from hvitved/ruby/clear-text-logging-hashes
Ruby: Rely on built-in hash-flow in clear text storage query
2 parents 2c63dba + f35fb13 commit ee01e9a

File tree

7 files changed

+91
-63
lines changed

7 files changed

+91
-63
lines changed
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* The clear-text storage (`rb/clear-text-storage-sensitive-data`) and logging (`rb/clear-text-logging-sensitive-data`) queries now use built-in flow through hashes, for improved precision. This may result in both new true positives and less false positives.

ruby/ql/lib/codeql/ruby/security/CleartextLoggingCustomizations.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ module CleartextLogging {
2626
class Sanitizer = CleartextSources::Sanitizer;
2727

2828
/** Holds if `nodeFrom` taints `nodeTo`. */
29-
predicate isAdditionalTaintStep = CleartextSources::isAdditionalTaintStep/2;
29+
predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
3030

3131
/**
3232
* A data flow sink for cleartext logging of sensitive information.

ruby/ql/lib/codeql/ruby/security/CleartextStorageCustomizations.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ module CleartextStorage {
2626
class Sanitizer = CleartextSources::Sanitizer;
2727

2828
/** Holds if `nodeFrom` taints `nodeTo`. */
29-
predicate isAdditionalTaintStep = CleartextSources::isAdditionalTaintStep/2;
29+
predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
3030

3131
/**
3232
* A data flow sink for cleartext storage of sensitive information.

ruby/ql/lib/codeql/ruby/security/internal/CleartextSources.qll

Lines changed: 12 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -153,23 +153,21 @@ module CleartextSources {
153153
}
154154

155155
/**
156-
* A write to a hash entry with a value that may contain password information.
156+
* A value written to a hash entry with a key that may contain password information.
157157
*/
158158
private class HashKeyWritePasswordSource extends Source {
159159
private string name;
160160
private DataFlow::ExprNode recv;
161161

162162
HashKeyWritePasswordSource() {
163-
exists(DataFlow::Node val |
163+
exists(DataFlow::CallNode writeNode |
164164
name.regexpMatch(maybePassword()) and
165165
not nameIsNotSensitive(name) and
166166
// avoid safe values assigned to presumably unsafe names
167-
not val instanceof NonCleartextPassword and
168-
(
169-
// hash[name] = val
170-
hashKeyWrite(this, name, val) and
171-
recv = this.(DataFlow::CallNode).getReceiver()
172-
)
167+
not this instanceof NonCleartextPassword and
168+
// hash[name] = val
169+
hashKeyWrite(writeNode, name, this) and
170+
recv = writeNode.getReceiver()
173171
)
174172
}
175173

@@ -188,23 +186,21 @@ module CleartextSources {
188186
}
189187

190188
/**
191-
* A hash literal with an entry that may contain a password
189+
* An entry into a hash literal that may contain a password
192190
*/
193191
private class HashLiteralPasswordSource extends Source {
194192
private string name;
195193

196194
HashLiteralPasswordSource() {
197-
exists(DataFlow::Node val, CfgNodes::ExprNodes::HashLiteralCfgNode lit |
195+
exists(CfgNodes::ExprNodes::HashLiteralCfgNode lit |
198196
name.regexpMatch(maybePassword()) and
199197
not nameIsNotSensitive(name) and
200198
// avoid safe values assigned to presumably unsafe names
201-
not val instanceof NonCleartextPassword and
199+
not this instanceof NonCleartextPassword and
202200
// hash = { name: val }
203-
exists(CfgNodes::ExprNodes::PairCfgNode p |
204-
this.asExpr() = lit and p = lit.getAKeyValuePair()
205-
|
201+
exists(CfgNodes::ExprNodes::PairCfgNode p | p = lit.getAKeyValuePair() |
206202
p.getKey().getConstantValue().getStringlikeValue() = name and
207-
p.getValue() = val.asExpr()
203+
p.getValue() = this.asExpr()
208204
)
209205
)
210206
}
@@ -261,7 +257,7 @@ module CleartextSources {
261257
}
262258

263259
/** Holds if `nodeFrom` taints `nodeTo`. */
264-
predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
260+
deprecated predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
265261
exists(string name, ElementReference ref, LocalVariable hashVar |
266262
// from `hsh[password] = "changeme"` to a `hsh[password]` read
267263
nodeFrom.(HashKeyWritePasswordSource).getName() = name and

ruby/ql/test/query-tests/security/cwe-312/CleartextLogging.expected

Lines changed: 54 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,24 @@ edges
1010
| logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:23:33:23:40 | password |
1111
| logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:26:18:26:34 | "pw: #{...}" |
1212
| logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:28:26:28:33 | password |
13-
| logging.rb:30:8:30:55 | call to [] : | logging.rb:37:20:37:23 | hsh1 : |
14-
| logging.rb:34:1:34:15 | call to []= : | logging.rb:39:20:39:34 | ...[...] |
15-
| logging.rb:37:20:37:23 | hsh1 : | logging.rb:37:20:37:34 | ...[...] |
16-
| logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:63:35:63:65 | password_masked_ineffective_sub : |
17-
| logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex |
18-
| logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:65:36:65:67 | password_masked_ineffective_gsub : |
19-
| logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex |
20-
| logging.rb:63:35:63:65 | password_masked_ineffective_sub : | logging.rb:63:35:63:88 | call to sub : |
21-
| logging.rb:63:35:63:88 | call to sub : | logging.rb:69:20:69:50 | password_masked_ineffective_sub |
22-
| logging.rb:65:36:65:67 | password_masked_ineffective_gsub : | logging.rb:65:36:65:86 | call to gsub : |
23-
| logging.rb:65:36:65:86 | call to gsub : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub |
24-
| logging.rb:77:9:77:16 | password : | logging.rb:79:15:79:22 | password |
25-
| logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:83:5:83:16 | password_arg : |
26-
| logging.rb:83:5:83:16 | password_arg : | logging.rb:77:9:77:16 | password : |
13+
| logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" : | logging.rb:38:20:38:23 | hsh1 [element :password] : |
14+
| logging.rb:34:1:34:4 | [post] hsh2 [element :password] : | logging.rb:40:20:40:23 | hsh2 [element :password] : |
15+
| logging.rb:34:1:34:4 | [post] hsh2 [element :password] : | logging.rb:42:20:42:23 | hsh3 [element :password] : |
16+
| logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : | logging.rb:34:1:34:4 | [post] hsh2 [element :password] : |
17+
| logging.rb:38:20:38:23 | hsh1 [element :password] : | logging.rb:38:20:38:34 | ...[...] |
18+
| logging.rb:40:20:40:23 | hsh2 [element :password] : | logging.rb:40:20:40:34 | ...[...] |
19+
| logging.rb:42:20:42:23 | hsh3 [element :password] : | logging.rb:42:20:42:34 | ...[...] |
20+
| logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:68:35:68:65 | password_masked_ineffective_sub : |
21+
| logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex |
22+
| logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:70:36:70:67 | password_masked_ineffective_gsub : |
23+
| logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex |
24+
| logging.rb:68:35:68:65 | password_masked_ineffective_sub : | logging.rb:68:35:68:88 | call to sub : |
25+
| logging.rb:68:35:68:88 | call to sub : | logging.rb:74:20:74:50 | password_masked_ineffective_sub |
26+
| logging.rb:70:36:70:67 | password_masked_ineffective_gsub : | logging.rb:70:36:70:86 | call to gsub : |
27+
| logging.rb:70:36:70:86 | call to gsub : | logging.rb:76:20:76:51 | password_masked_ineffective_gsub |
28+
| logging.rb:82:9:82:16 | password : | logging.rb:84:15:84:22 | password |
29+
| logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:88:5:88:16 | password_arg : |
30+
| logging.rb:88:5:88:16 | password_arg : | logging.rb:82:9:82:16 | password : |
2731
nodes
2832
| logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | semmle.label | "043697b96909e03ca907599d6420555f" : |
2933
| logging.rb:6:20:6:27 | password | semmle.label | password |
@@ -37,27 +41,31 @@ nodes
3741
| logging.rb:23:33:23:40 | password | semmle.label | password |
3842
| logging.rb:26:18:26:34 | "pw: #{...}" | semmle.label | "pw: #{...}" |
3943
| logging.rb:28:26:28:33 | password | semmle.label | password |
40-
| logging.rb:30:8:30:55 | call to [] : | semmle.label | call to [] : |
41-
| logging.rb:34:1:34:15 | call to []= : | semmle.label | call to []= : |
42-
| logging.rb:37:20:37:23 | hsh1 : | semmle.label | hsh1 : |
43-
| logging.rb:37:20:37:34 | ...[...] | semmle.label | ...[...] |
44-
| logging.rb:39:20:39:34 | ...[...] | semmle.label | ...[...] |
45-
| logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
46-
| logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
47-
| logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
48-
| logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
49-
| logging.rb:63:35:63:65 | password_masked_ineffective_sub : | semmle.label | password_masked_ineffective_sub : |
50-
| logging.rb:63:35:63:88 | call to sub : | semmle.label | call to sub : |
51-
| logging.rb:65:36:65:67 | password_masked_ineffective_gsub : | semmle.label | password_masked_ineffective_gsub : |
52-
| logging.rb:65:36:65:86 | call to gsub : | semmle.label | call to gsub : |
53-
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | semmle.label | password_masked_ineffective_sub |
54-
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | semmle.label | password_masked_ineffective_gsub |
55-
| logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | semmle.label | password_masked_ineffective_sub_ex |
56-
| logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | semmle.label | password_masked_ineffective_gsub_ex |
57-
| logging.rb:77:9:77:16 | password : | semmle.label | password : |
58-
| logging.rb:79:15:79:22 | password | semmle.label | password |
59-
| logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | semmle.label | "65f2950df2f0e2c38d7ba2ccca767291" : |
60-
| logging.rb:83:5:83:16 | password_arg : | semmle.label | password_arg : |
44+
| logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" : | semmle.label | "aec5058e61f7f122998b1a30ee2c66b6" : |
45+
| logging.rb:34:1:34:4 | [post] hsh2 [element :password] : | semmle.label | [post] hsh2 [element :password] : |
46+
| logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : | semmle.label | "beeda625d7306b45784d91ea0336e201" : |
47+
| logging.rb:38:20:38:23 | hsh1 [element :password] : | semmle.label | hsh1 [element :password] : |
48+
| logging.rb:38:20:38:34 | ...[...] | semmle.label | ...[...] |
49+
| logging.rb:40:20:40:23 | hsh2 [element :password] : | semmle.label | hsh2 [element :password] : |
50+
| logging.rb:40:20:40:34 | ...[...] | semmle.label | ...[...] |
51+
| logging.rb:42:20:42:23 | hsh3 [element :password] : | semmle.label | hsh3 [element :password] : |
52+
| logging.rb:42:20:42:34 | ...[...] | semmle.label | ...[...] |
53+
| logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
54+
| logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : | semmle.label | "ca497451f5e883662fb1a37bc9ec7838" : |
55+
| logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
56+
| logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : | semmle.label | "a7e3747b19930d4f4b8181047194832f" : |
57+
| logging.rb:68:35:68:65 | password_masked_ineffective_sub : | semmle.label | password_masked_ineffective_sub : |
58+
| logging.rb:68:35:68:88 | call to sub : | semmle.label | call to sub : |
59+
| logging.rb:70:36:70:67 | password_masked_ineffective_gsub : | semmle.label | password_masked_ineffective_gsub : |
60+
| logging.rb:70:36:70:86 | call to gsub : | semmle.label | call to gsub : |
61+
| logging.rb:74:20:74:50 | password_masked_ineffective_sub | semmle.label | password_masked_ineffective_sub |
62+
| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | semmle.label | password_masked_ineffective_gsub |
63+
| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | semmle.label | password_masked_ineffective_sub_ex |
64+
| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | semmle.label | password_masked_ineffective_gsub_ex |
65+
| logging.rb:82:9:82:16 | password : | semmle.label | password : |
66+
| logging.rb:84:15:84:22 | password | semmle.label | password |
67+
| logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | semmle.label | "65f2950df2f0e2c38d7ba2ccca767291" : |
68+
| logging.rb:88:5:88:16 | password_arg : | semmle.label | password_arg : |
6169
subpaths
6270
#select
6371
| logging.rb:6:20:6:27 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:6:20:6:27 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
@@ -71,13 +79,14 @@ subpaths
7179
| logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:23:33:23:40 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
7280
| logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:26:18:26:34 | "pw: #{...}" | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
7381
| logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:28:26:28:33 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
74-
| logging.rb:37:20:37:34 | ...[...] | logging.rb:30:8:30:55 | call to [] : | logging.rb:37:20:37:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:8:30:55 | call to [] | a write to password |
75-
| logging.rb:39:20:39:34 | ...[...] | logging.rb:34:1:34:15 | call to []= : | logging.rb:39:20:39:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:1:34:15 | call to []= | a write to password |
76-
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:69:20:69:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub |
77-
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:63:35:63:88 | call to sub : | logging.rb:69:20:69:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:63:35:63:88 | call to sub | an assignment to password_masked_ineffective_sub |
78-
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:61:36:61:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub |
79-
| logging.rb:71:20:71:51 | password_masked_ineffective_gsub | logging.rb:65:36:65:86 | call to gsub : | logging.rb:71:20:71:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:65:36:65:86 | call to gsub | an assignment to password_masked_ineffective_gsub |
80-
| logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:73:20:73:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:60:38:60:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex |
81-
| logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:75:20:75:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:62:39:62:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex |
82-
| logging.rb:79:15:79:22 | password | logging.rb:79:15:79:22 | password | logging.rb:79:15:79:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:79:15:79:22 | password | a parameter password |
83-
| logging.rb:79:15:79:22 | password | logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:79:15:79:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:82:16:82:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg |
82+
| logging.rb:38:20:38:34 | ...[...] | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" : | logging.rb:38:20:38:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:30:20:30:53 | "aec5058e61f7f122998b1a30ee2c66b6" | a write to password |
83+
| logging.rb:40:20:40:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : | logging.rb:40:20:40:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password |
84+
| logging.rb:42:20:42:34 | ...[...] | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" : | logging.rb:42:20:42:34 | ...[...] | This logs sensitive data returned by $@ as clear text. | logging.rb:34:19:34:52 | "beeda625d7306b45784d91ea0336e201" | a write to password |
85+
| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:64:35:64:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub |
86+
| logging.rb:74:20:74:50 | password_masked_ineffective_sub | logging.rb:68:35:68:88 | call to sub : | logging.rb:74:20:74:50 | password_masked_ineffective_sub | This logs sensitive data returned by $@ as clear text. | logging.rb:68:35:68:88 | call to sub | an assignment to password_masked_ineffective_sub |
87+
| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:66:36:66:69 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub |
88+
| logging.rb:76:20:76:51 | password_masked_ineffective_gsub | logging.rb:70:36:70:86 | call to gsub : | logging.rb:76:20:76:51 | password_masked_ineffective_gsub | This logs sensitive data returned by $@ as clear text. | logging.rb:70:36:70:86 | call to gsub | an assignment to password_masked_ineffective_gsub |
89+
| logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:78:20:78:53 | password_masked_ineffective_sub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:65:38:65:71 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub_ex |
90+
| logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" : | logging.rb:80:20:80:54 | password_masked_ineffective_gsub_ex | This logs sensitive data returned by $@ as clear text. | logging.rb:67:39:67:72 | "a7e3747b19930d4f4b8181047194832f" | an assignment to password_masked_ineffective_gsub_ex |
91+
| logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:84:15:84:22 | password | a parameter password |
92+
| logging.rb:84:15:84:22 | password | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" : | logging.rb:84:15:84:22 | password | This logs sensitive data returned by $@ as clear text. | logging.rb:87:16:87:49 | "65f2950df2f0e2c38d7ba2ccca767291" | an assignment to password_arg |

0 commit comments

Comments
 (0)