Add "tokenizer" to sensitive variable name FPs

owen-mc · owen-mc · commit e259b2542850 · 2024-07-30T15:38:32.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveActions.qll b/java/ql/lib/semmle/code/java/security/SensitiveActions.qll
@@ -41,9 +41,12 @@ string getCommonSensitiveInfoRegex() {
  * indicate the value being held does not contains sensitive information,
  * but is a false positive for `getCommonSensitiveInfoRegex`.
  *
+ * - "tokenizer" is often used for java.util.StringTokenizer.
  * - "tokenImage" appears in parser code generated by JavaCC.
  */
-string getCommonSensitiveInfoFPRegex() { result = "(?i).*(null).*" or result = "tokenImage" }
+string getCommonSensitiveInfoFPRegex() {
+  result = "(?i).*(null|tokenizer).*" or result = "tokenImage"
+}
 
 /** An expression that might contain sensitive data. */
 abstract class SensitiveExpr extends Expr { }
diff --git a/java/ql/test/query-tests/security/CWE-532/Test.java b/java/ql/test/query-tests/security/CWE-532/Test.java
@@ -8,6 +8,6 @@ void test(String password, String authToken, String username, String nullToken,
         logger.error("Auth failed for: " + authToken); // $ hasTaintFlow
         logger.error("Auth failed for: " + username); // Safe
         logger.error("Auth failed for: " + nullToken); // Safe
-        logger.error("Auth failed for: " + stringTokenizer); // $ hasTaintFlow
+        logger.error("Auth failed for: " + stringTokenizer); // Safe
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,6 @@ void test(String password, String authToken, String username, String nullToken,`
`8`	`8`	`logger.error("Auth failed for: " + authToken); // $ hasTaintFlow`
`9`	`9`	`logger.error("Auth failed for: " + username); // Safe`
`10`	`10`	`logger.error("Auth failed for: " + nullToken); // Safe`
`11`		`- logger.error("Auth failed for: " + stringTokenizer); // $ hasTaintFlow`
	`11`	`+ logger.error("Auth failed for: " + stringTokenizer); // Safe`
`12`	`12`	`}`
`13`	`13`	`}`