Add www-authenticate to sensitiveheaders()

ahmed-farid-dev · web-flow · commit 64bb022adfd0 · 2022-09-07T11:12:53.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll
@@ -257,7 +257,8 @@ private string sensitiveheaders() {
   result =
     [
       "x-auth-token", "x-csrf-token", "http_x_csrf_token", "x-csrf-param", "x-csrf-header",
-      "http_x_csrf_token", "x-api-key", "authorization", "proxy-authorization", "x-gitlab-token"
+      "http_x_csrf_token", "x-api-key", "authorization", "proxy-authorization", "x-gitlab-token",
+      "www-authenticate"
     ]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -257,7 +257,8 @@ private string sensitiveheaders() {`
`257`	`257`	`result =`
`258`	`258`	`[`
`259`	`259`	`"x-auth-token", "x-csrf-token", "http_x_csrf_token", "x-csrf-param", "x-csrf-header",`
`260`		`- "http_x_csrf_token", "x-api-key", "authorization", "proxy-authorization", "x-gitlab-token"`
	`260`	`+ "http_x_csrf_token", "x-api-key", "authorization", "proxy-authorization", "x-gitlab-token",`
	`261`	`+ "www-authenticate"`
`261`	`262`	`]`
`262`	`263`	`}`
`263`	`264`