CleartextLogging: sanitize strings.Split(authheader, ":")[0] and similar

These can represent a username, method name or other non-sensitive component of an Authorization header. For greater precision we could split the query into one investigating Authorization headers and one investigating other sources of sensitive data that can't be sanitized by splitting this way.

Author: smowton

ql/src/semmle/go/security/CleartextLoggingCustomizations.qll

@@ -183,4 +183,22 @@ module CleartextLogging {
 
     override string describe() { result = "HTTP request headers" }
   }
+
+  /**
+   * The first element of a split by ' '  or ':', often sanitizing a username/password pair
+   * or the "Method value" syntax used in the HTTP Authorization header.
+   */
+  private class NonSensitiveAuthorizationElement extends Barrier, DataFlow::ElementReadNode {
+    NonSensitiveAuthorizationElement() {
+      exists(DataFlow::CallNode splitCall, DataFlow::Node splitAlias |
+        splitCall
+            .getTarget()
+            .hasQualifiedName("strings", ["Split", "SplitN", "SplitAfter", "SplitAfterN"]) and
+        splitCall.getArgument(1).getStringValue() = [" ", ":"] and
+        DataFlow::localFlow(splitCall.getResult(), splitAlias) and
+        this.getBase() = splitAlias
+      ) and
+      this.getIndex().getIntValue() = 0
+    }
+  }
 }

ql/test/query-tests/Security/CWE-312/CleartextLoggingGood.go

@@ -3,6 +3,7 @@ package main
 import (
 	"log"
 	"net/http"
+	"strings"
 )
 
 func serve1() {
@@ -18,3 +19,19 @@ func serve1() {
 	})
 	http.ListenAndServe(":80", nil)
 }
+
+func serveauth() {
+	http.HandleFunc("/register", func(w http.ResponseWriter, r *http.Request) {
+		authhdr := r.Header.Get("authorization")
+		fields := strings.Split(authhdr, " ")
+
+		log.Printf("Auth method is %s.\n", fields[0])
+
+		tokenparts := strings.Split(fields[1], ":")
+		log.Printf("Username is %s.\n", tokenparts[0])
+
+		// ...
+		use(tokenparts[1])
+	})
+	http.ListenAndServe(":80", nil)
+}