|
| 1 | +/** |
| 2 | + * INTERNAL: Do not use. |
| 3 | + * |
| 4 | + * Provides classes and predicates for identifying strings that may indicate the presence of sensitive data. |
| 5 | + * Such that we can share this logic across our CodeQL analysis of different languages. |
| 6 | + * |
| 7 | + * 'Sensitive' data in general is anything that should not be sent around in unencrypted form. |
| 8 | + */ |
| 9 | + |
| 10 | +/** |
| 11 | + * A classification of different kinds of sensitive data: |
| 12 | + * |
| 13 | + * - secret: generic secret or trusted data; |
| 14 | + * - id: a user name or other account information; |
| 15 | + * - password: a password or authorization key; |
| 16 | + * - certificate: a certificate. |
| 17 | + * - private: private data such as credit card numbers |
| 18 | + * |
| 19 | + * While classifications are represented as strings, this should not be relied upon. |
| 20 | + * Instead, use the predicates in `SensitiveDataClassification::` to work with |
| 21 | + * classifications. |
| 22 | + */ |
| 23 | +class SensitiveDataClassification extends string { |
| 24 | + SensitiveDataClassification() { this in ["secret", "id", "password", "certificate", "private"] } |
| 25 | +} |
| 26 | + |
| 27 | +/** |
| 28 | + * Provides predicates to select the different kinds of sensitive data we support. |
| 29 | + */ |
| 30 | +module SensitiveDataClassification { |
| 31 | + /** Gets the classification for secret or trusted data. */ |
| 32 | + SensitiveDataClassification secret() { result = "secret" } |
| 33 | + |
| 34 | + /** Gets the classification for user names or other account information. */ |
| 35 | + SensitiveDataClassification id() { result = "id" } |
| 36 | + |
| 37 | + /** Gets the classification for passwords or authorization keys. */ |
| 38 | + SensitiveDataClassification password() { result = "password" } |
| 39 | + |
| 40 | + /** Gets the classification for certificates. */ |
| 41 | + SensitiveDataClassification certificate() { result = "certificate" } |
| 42 | + |
| 43 | + /** Gets the classification for private data. */ |
| 44 | + SensitiveDataClassification private() { result = "private" } |
| 45 | +} |
| 46 | + |
| 47 | +/** |
| 48 | + * INTERNAL: Do not use. |
| 49 | + * |
| 50 | + * Provides heuristics for identifying names related to sensitive information. |
| 51 | + */ |
| 52 | +module HeuristicNames { |
| 53 | + /** |
| 54 | + * Gets a regular expression that identifies strings that may indicate the presence of secret |
| 55 | + * or trusted data. |
| 56 | + */ |
| 57 | + string maybeSecret() { result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted).*" } |
| 58 | + |
| 59 | + /** |
| 60 | + * Gets a regular expression that identifies strings that may indicate the presence of |
| 61 | + * user names or other account information. |
| 62 | + */ |
| 63 | + string maybeAccountInfo() { |
| 64 | + result = "(?is).*acc(ou)?nt.*" or |
| 65 | + result = "(?is).*(puid|user.?name|user.?id|session.?(id|key)).*" or |
| 66 | + result = "(?s).*([uU]|^|_|[a-z](?=U))([uU][iI][dD]).*" |
| 67 | + } |
| 68 | + |
| 69 | + /** |
| 70 | + * Gets a regular expression that identifies strings that may indicate the presence of |
| 71 | + * a password or an authorization key. |
| 72 | + */ |
| 73 | + string maybePassword() { |
| 74 | + result = "(?is).*pass(wd|word|code|.?phrase)(?!.*question).*" or |
| 75 | + result = "(?is).*(auth(entication|ori[sz]ation)?).?key.*" |
| 76 | + } |
| 77 | + |
| 78 | + /** |
| 79 | + * Gets a regular expression that identifies strings that may indicate the presence of |
| 80 | + * a certificate. |
| 81 | + */ |
| 82 | + string maybeCertificate() { result = "(?is).*(cert)(?!.*(format|name|ification)).*" } |
| 83 | + |
| 84 | + /** |
| 85 | + * Gets a regular expression that identifies strings that may indicate the presence of |
| 86 | + * private data. |
| 87 | + */ |
| 88 | + string maybePrivate() { |
| 89 | + result = |
| 90 | + "(?is).*(" + |
| 91 | + // Inspired by the list on https://cwe.mitre.org/data/definitions/359.html |
| 92 | + // Government identifiers, such as Social Security Numbers |
| 93 | + "social.?security|employer.?identification|national.?insurance|resident.?id|" + |
| 94 | + "passport.?(num|no)|([_-]|\\b)ssn([_-]|\\b)|" + |
| 95 | + // Contact information, such as home addresses |
| 96 | + "post.?code|zip.?code|home.?addr|" + |
| 97 | + // and telephone numbers |
| 98 | + "(mob(ile)?|home).?(num|no|tel|phone)|(tel|fax|phone).?(num|no)|telephone|" + |
| 99 | + "emergency.?contact|" + |
| 100 | + // Geographic location - where the user is (or was) |
| 101 | + "latitude|longitude|nationality|" + |
| 102 | + // Financial data - such as credit card numbers, salary, bank accounts, and debts |
| 103 | + "(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|acc(ou)?nt.?(no|num|credit)|" + |
| 104 | + "salary|billing|credit.?(rating|score)|([_-]|\\b)ccn([_-]|\\b)|" + |
| 105 | + // Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc. |
| 106 | + // "e(mail|_mail)|" + // this seems too noisy |
| 107 | + // Health - medical conditions, insurance status, prescription records |
| 108 | + "birth.?da(te|y)|da(te|y).?(of.?)?birth|" + |
| 109 | + "medical|(health|care).?plan|healthkit|appointment|prescription|" + |
| 110 | + "blood.?(type|alcohol|glucose|pressure)|heart.?(rate|rhythm)|body.?(mass|fat)|" + |
| 111 | + "menstrua|pregnan|insulin|inhaler|" + |
| 112 | + // Relationships - work and family |
| 113 | + "employ(er|ee)|spouse|maiden.?name" + |
| 114 | + // --- |
| 115 | + ").*" |
| 116 | + } |
| 117 | + |
| 118 | + /** |
| 119 | + * Gets a regular expression that identifies strings that may indicate the presence |
| 120 | + * of sensitive data, with `classification` describing the kind of sensitive data involved. |
| 121 | + */ |
| 122 | + string maybeSensitiveRegexp(SensitiveDataClassification classification) { |
| 123 | + result = maybeSecret() and classification = SensitiveDataClassification::secret() |
| 124 | + or |
| 125 | + result = maybeAccountInfo() and classification = SensitiveDataClassification::id() |
| 126 | + or |
| 127 | + result = maybePassword() and classification = SensitiveDataClassification::password() |
| 128 | + or |
| 129 | + result = maybeCertificate() and |
| 130 | + classification = SensitiveDataClassification::certificate() |
| 131 | + or |
| 132 | + result = maybePrivate() and |
| 133 | + classification = SensitiveDataClassification::private() |
| 134 | + } |
| 135 | + |
| 136 | + /** |
| 137 | + * Gets a regular expression that identifies strings that may indicate the presence of data |
| 138 | + * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters |
| 139 | + * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query). |
| 140 | + * |
| 141 | + * We also filter out common words like `certain` and `concert`, since otherwise these could |
| 142 | + * be matched by the certificate regular expressions. Same for `accountable` (account), or |
| 143 | + * `secretarial` (secret). |
| 144 | + */ |
| 145 | + string notSensitiveRegexp() { |
| 146 | + result = |
| 147 | + "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|(?<!pass)code)|certain|concert|secretar|accountant|accountab).*" |
| 148 | + } |
| 149 | + |
| 150 | + /** |
| 151 | + * Holds if `name` may indicate the presence of sensitive data, and `name` does not indicate that |
| 152 | + * the data is in fact non-sensitive (for example since it is hashed or encrypted). |
| 153 | + * |
| 154 | + * That is, one of the regexps from `maybeSensitiveRegexp` matches `name` (with the given |
| 155 | + * classification), and none of the regexps from `notSensitiveRegexp` matches `name`. |
| 156 | + */ |
| 157 | + bindingset[name] |
| 158 | + predicate nameIndicatesSensitiveData(string name) { |
| 159 | + exists(string combinedRegexp | |
| 160 | + // Combine all the maybe-sensitive regexps into one using non-capturing groups and |. |
| 161 | + combinedRegexp = |
| 162 | + "(?:" + strictconcat(string r | r = maybeSensitiveRegexp(_) | r, ")|(?:") + ")" |
| 163 | + | |
| 164 | + name.regexpMatch(combinedRegexp) |
| 165 | + ) and |
| 166 | + not name.regexpMatch(notSensitiveRegexp()) |
| 167 | + } |
| 168 | + |
| 169 | + /** |
| 170 | + * Holds if `name` may indicate the presence of sensitive data, and |
| 171 | + * `name` does not indicate that the data is in fact non-sensitive (for example since |
| 172 | + * it is hashed or encrypted). `classification` describes the kind of sensitive data |
| 173 | + * involved. |
| 174 | + * |
| 175 | + * That is, one of the regexps from `maybeSensitiveRegexp` matches `name` (with the |
| 176 | + * given classification), and none of the regexps from `notSensitiveRegexp` matches |
| 177 | + * `name`. |
| 178 | + * |
| 179 | + * When the set of names is large, it's worth using `nameIndicatesSensitiveData/1` as a first |
| 180 | + * pass, since that combines all the regexps into one, and should be faster. Then call this |
| 181 | + * predicate to get the classification(s). |
| 182 | + */ |
| 183 | + bindingset[name] |
| 184 | + predicate nameIndicatesSensitiveData(string name, SensitiveDataClassification classification) { |
| 185 | + name.regexpMatch(maybeSensitiveRegexp(classification)) and |
| 186 | + not name.regexpMatch(notSensitiveRegexp()) |
| 187 | + } |
| 188 | +} |
0 commit comments