@@ -40,6 +40,18 @@ module CleartextSources {
4040 re .getConstantValue ( ) .getStringlikeValue ( ) = [ ".*" , ".+" ]
4141 }
4242
43+ /** Holds if the given name indicates the presence of sensitive data that is relevant to consider for Cleartext Storage queries. */
44+ bindingset [ name]
45+ private predicate nameIndicatesRelevantSensitiveData ( string name ) {
46+ exists ( SensitiveDataClassification classification |
47+ nameIndicatesSensitiveData ( name , classification ) and
48+ classification in [
49+ SensitiveDataClassification:: password ( ) , SensitiveDataClassification:: certificate ( ) ,
50+ SensitiveDataClassification:: secret ( ) , SensitiveDataClassification:: private ( ) ,
51+ ]
52+ )
53+ }
54+
4355 /**
4456 * Holds if `re` may be a regular expression that can be used to sanitize
4557 * sensitive data with a call to `gsub`.
@@ -166,9 +178,8 @@ module CleartextSources {
166178 private DataFlow:: ExprNode recv ;
167179
168180 HashKeyWriteSensitiveSource ( ) {
169- exists ( DataFlow:: CallNode writeNode , SensitiveDataClassification classification |
170- nameIndicatesSensitiveData ( name , classification ) and
171- not classification = SensitiveDataClassification:: id ( ) and
181+ exists ( DataFlow:: CallNode writeNode |
182+ nameIndicatesRelevantSensitiveData ( name ) and
172183 not nameIsNotSensitive ( name ) and
173184 // avoid safe values assigned to presumably unsafe names
174185 not this instanceof NonCleartextSensitive and
@@ -199,11 +210,8 @@ module CleartextSources {
199210 private string name ;
200211
201212 HashLiteralSensitiveSource ( ) {
202- exists (
203- CfgNodes:: ExprNodes:: HashLiteralCfgNode lit , SensitiveDataClassification classification
204- |
205- nameIndicatesSensitiveData ( name , classification ) and
206- not classification = SensitiveDataClassification:: id ( ) and
213+ exists ( CfgNodes:: ExprNodes:: HashLiteralCfgNode lit |
214+ nameIndicatesRelevantSensitiveData ( name ) and
207215 not nameIsNotSensitive ( name ) and
208216 // avoid safe values assigned to presumably unsafe names
209217 not this instanceof NonCleartextSensitive and
@@ -223,16 +231,13 @@ module CleartextSources {
223231 string name ;
224232
225233 AssignSensitiveVariableSource ( ) {
226- exists ( SensitiveDataClassification classification |
227- // avoid safe values assigned to presumably unsafe names
228- not this instanceof NonCleartextSensitive and
229- nameIndicatesSensitiveData ( name , classification ) and
230- not classification = SensitiveDataClassification:: id ( ) and
231- not nameIsNotSensitive ( name ) and
232- exists ( Assignment a |
233- this .asExpr ( ) .getExpr ( ) = a .getRightOperand ( ) and
234- a .getLeftOperand ( ) .getAVariable ( ) .getName ( ) = name
235- )
234+ // avoid safe values assigned to presumably unsafe names
235+ not this instanceof NonCleartextSensitive and
236+ nameIndicatesRelevantSensitiveData ( name ) and
237+ not nameIsNotSensitive ( name ) and
238+ exists ( Assignment a |
239+ this .asExpr ( ) .getExpr ( ) = a .getRightOperand ( ) and
240+ a .getLeftOperand ( ) .getAVariable ( ) .getName ( ) = name
236241 )
237242 }
238243
@@ -244,16 +249,13 @@ module CleartextSources {
244249 private string name ;
245250
246251 ParameterSensitiveSource ( ) {
247- exists ( SensitiveDataClassification classification |
248- nameIndicatesSensitiveData ( name , classification ) and
249- not classification = SensitiveDataClassification:: id ( ) and
250- not nameIsNotSensitive ( name ) and
251- not this instanceof NonCleartextSensitive and
252- exists ( Parameter p , LocalVariable v |
253- v = p .getAVariable ( ) and
254- v .getName ( ) = name and
255- this .asExpr ( ) .getExpr ( ) = v .getAnAccess ( )
256- )
252+ nameIndicatesRelevantSensitiveData ( name ) and
253+ not nameIsNotSensitive ( name ) and
254+ not this instanceof NonCleartextSensitive and
255+ exists ( Parameter p , LocalVariable v |
256+ v = p .getAVariable ( ) and
257+ v .getName ( ) = name and
258+ this .asExpr ( ) .getExpr ( ) = v .getAnAccess ( )
257259 )
258260 }
259261
0 commit comments