Merge pull request github#2987 from asger-semmle/js/urls-not-sensitive-data

JS: Declassify sensitive exprs with special characters

Author: asgerf

change-notes/1.24/analysis-javascript.md

@@ -64,6 +64,7 @@
 | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed and used. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. |
 | Syntax error (`js/syntax-error`) | Lower severity | This results of this query are now displayed with lower severity. |
+| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes additional cases that do not require secure hashing. |
 
 ## Changes to libraries
 

javascript/ql/src/semmle/javascript/security/SensitiveActions.qll

@@ -63,10 +63,11 @@ module HeuristicNames {
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence of data
-   * that is hashed or encrypted, and hence rendered non-sensitive.
+   * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters
+   * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
    */
   string notSensitive() {
-    result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
   }
 }
 

javascript/ql/test/library-tests/SensitiveActions/tst.js

@@ -22,3 +22,7 @@ secret;
 
 require("process").exit();
 global.process.exit();
+
+get("https://example.com/news?password=true")
+get("https://username:[email protected]")
+execute("SELECT * FROM users WHERE password=?")