Use additional sensitive data heuristics in CleartextSources

joefarebrother · joefarebrother · commit 8b51ee8fe8f4 · 2024-06-12T15:11:27.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/internal/CleartextSources.qll b/ruby/ql/lib/codeql/ruby/security/internal/CleartextSources.qll
@@ -9,6 +9,7 @@ private import codeql.ruby.DataFlow
 private import codeql.ruby.TaintTracking::TaintTracking
 private import codeql.ruby.dataflow.RemoteFlowSources
 private import SensitiveDataHeuristics::HeuristicNames
+private import SensitiveDataHeuristics
 private import codeql.ruby.CFG
 private import codeql.ruby.dataflow.SSA
 
@@ -92,17 +93,17 @@ module CleartextSources {
   }
 
   /**
-   * A call that might obfuscate a password, for example through hashing.
+   * A call that might obfuscate sensitive data, for example through hashing.
    */
   private class ObfuscatorCall extends Sanitizer, DataFlow::CallNode {
     ObfuscatorCall() { nameIsNotSensitive(this.getMethodName()) }
   }
 
   /**
-   * A data flow node that does not contain a clear-text password, according to its syntactic name.
+   * A data flow node that does not contain clear-text sensitive data, according to its syntactic name.
    */
-  private class NameGuidedNonCleartextPassword extends NonCleartextPassword {
-    NameGuidedNonCleartextPassword() {
+  private class NameGuidedNonCleartextSensitive extends NonCleartextSensitive {
+    NameGuidedNonCleartextSensitive() {
       exists(string name | nameIsNotSensitive(name) |
         // accessing a non-sensitive variable
         this.asExpr().getExpr().(VariableReadAccess).getVariable().getName() = name
@@ -129,18 +130,23 @@ module CleartextSources {
   }
 
   /**
-   * A data flow node that receives flow that is not a clear-text password.
+   * A data flow node that receives flow that is not clear-text sensitive data.
    */
-  class NonCleartextPasswordFlow extends NonCleartextPassword {
-    NonCleartextPasswordFlow() {
-      any(NonCleartextPassword other).(DataFlow::LocalSourceNode).flowsTo(this)
+  class NonCleartextSensitiveFlow extends NonCleartextSensitive {
+    NonCleartextSensitiveFlow() {
+      any(NonCleartextSensitive other).(DataFlow::LocalSourceNode).flowsTo(this)
     }
   }
 
   /**
-   * A data flow node that does not contain a clear-text password.
+   * DEPRECATED: Use NonCleartextSensitiveFlow instead.
    */
-  abstract private class NonCleartextPassword extends DataFlow::Node { }
+  deprecated class NonCleartextPasswordFlow = NonCleartextSensitiveFlow;
+
+  /**
+   * A data flow node that does not contain clear-text sensitive data.
+   */
+  abstract private class NonCleartextSensitive extends DataFlow::Node { }
 
   // `writeNode` assigns pair with key `name` to `val`
   private predicate hashKeyWrite(DataFlow::CallNode writeNode, string name, DataFlow::Node val) {
@@ -153,18 +159,19 @@ module CleartextSources {
   }
 
   /**
-   * A value written to a hash entry with a key that may contain password information.
+   * A value written to a hash entry with a key that may contain sensitive information.
    */
-  private class HashKeyWritePasswordSource extends Source {
+  private class HashKeyWriteSensitiveSource extends Source {
     private string name;
     private DataFlow::ExprNode recv;
 
-    HashKeyWritePasswordSource() {
-      exists(DataFlow::CallNode writeNode |
-        name.regexpMatch(maybePassword()) and
+    HashKeyWriteSensitiveSource() {
+      exists(DataFlow::CallNode writeNode, SensitiveDataClassification classification |
+        nameIndicatesSensitiveData(name, classification) and
+        not classification = SensitiveDataClassification::id() and
         not nameIsNotSensitive(name) and
         // avoid safe values assigned to presumably unsafe names
-        not this instanceof NonCleartextPassword and
+        not this instanceof NonCleartextSensitive and
         // hash[name] = val
         hashKeyWrite(writeNode, name, this) and
         recv = writeNode.getReceiver()
@@ -177,7 +184,7 @@ module CleartextSources {
     string getName() { result = name }
 
     /**
-     * Gets the name of the hash variable that this password source is assigned
+     * Gets the name of the hash variable that this sensitive source is assigned
      * to, if applicable.
      */
     LocalVariable getVariable() {
@@ -186,17 +193,20 @@ module CleartextSources {
   }
 
   /**
-   * An entry into a hash literal that may contain a password
+   * An entry into a hash literal that may contain sensitive data
    */
-  private class HashLiteralPasswordSource extends Source {
+  private class HashLiteralSensitiveSource extends Source {
     private string name;
 
-    HashLiteralPasswordSource() {
-      exists(CfgNodes::ExprNodes::HashLiteralCfgNode lit |
-        name.regexpMatch(maybePassword()) and
+    HashLiteralSensitiveSource() {
+      exists(
+        CfgNodes::ExprNodes::HashLiteralCfgNode lit, SensitiveDataClassification classification
+      |
+        nameIndicatesSensitiveData(name, classification) and
+        not classification = SensitiveDataClassification::id() and
         not nameIsNotSensitive(name) and
         // avoid safe values assigned to presumably unsafe names
-        not this instanceof NonCleartextPassword and
+        not this instanceof NonCleartextSensitive and
         // hash = { name: val }
         exists(CfgNodes::ExprNodes::PairCfgNode p | p = lit.getAKeyValuePair() |
           p.getKey().getConstantValue().getStringlikeValue() = name and
@@ -208,36 +218,42 @@ module CleartextSources {
     override string describe() { result = "a write to " + name }
   }
 
-  /** An assignment that may assign a password to a variable */
-  private class AssignPasswordVariableSource extends Source {
+  /** An assignment that may assign sensitive data to a variable */
+  private class AssignSensitiveVariableSource extends Source {
     string name;
 
-    AssignPasswordVariableSource() {
-      // avoid safe values assigned to presumably unsafe names
-      not this instanceof NonCleartextPassword and
-      name.regexpMatch(maybePassword()) and
-      not nameIsNotSensitive(name) and
-      exists(Assignment a |
-        this.asExpr().getExpr() = a.getRightOperand() and
-        a.getLeftOperand().getAVariable().getName() = name
+    AssignSensitiveVariableSource() {
+      exists(SensitiveDataClassification classification |
+        // avoid safe values assigned to presumably unsafe names
+        not this instanceof NonCleartextSensitive and
+        nameIndicatesSensitiveData(name, classification) and
+        not classification = SensitiveDataClassification::id() and
+        not nameIsNotSensitive(name) and
+        exists(Assignment a |
+          this.asExpr().getExpr() = a.getRightOperand() and
+          a.getLeftOperand().getAVariable().getName() = name
+        )
       )
     }
 
     override string describe() { result = "an assignment to " + name }
   }
 
-  /** A parameter that may contain a password. */
-  private class ParameterPasswordSource extends Source {
+  /** A parameter that may contain sensitive data. */
+  private class ParameterSensitiveSource extends Source {
     private string name;
 
-    ParameterPasswordSource() {
-      name.regexpMatch(maybePassword()) and
-      not nameIsNotSensitive(name) and
-      not this instanceof NonCleartextPassword and
-      exists(Parameter p, LocalVariable v |
-        v = p.getAVariable() and
-        v.getName() = name and
-        this.asExpr().getExpr() = v.getAnAccess()
+    ParameterSensitiveSource() {
+      exists(SensitiveDataClassification classification |
+        nameIndicatesSensitiveData(name, classification) and
+        not classification = SensitiveDataClassification::id() and
+        not nameIsNotSensitive(name) and
+        not this instanceof NonCleartextSensitive and
+        exists(Parameter p, LocalVariable v |
+          v = p.getAVariable() and
+          v.getName() = name and
+          this.asExpr().getExpr() = v.getAnAccess()
+        )
       )
     }
 
@@ -260,10 +276,10 @@ module CleartextSources {
   deprecated predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     exists(string name, ElementReference ref, LocalVariable hashVar |
       // from `hsh[password] = "changeme"` to a `hsh[password]` read
-      nodeFrom.(HashKeyWritePasswordSource).getName() = name and
+      nodeFrom.(HashKeyWriteSensitiveSource).getName() = name and
       nodeTo.asExpr().getExpr() = ref and
       ref.getArgument(0).getConstantValue().getStringlikeValue() = name and
-      nodeFrom.(HashKeyWritePasswordSource).getVariable() = hashVar and
+      nodeFrom.(HashKeyWriteSensitiveSource).getVariable() = hashVar and
       ref.getReceiver().(VariableReadAccess).getVariable() = hashVar and
       nodeFrom.asExpr().getASuccessor*() = nodeTo.asExpr()
     )
