rename ProcessEnvLabel to PartiallySensitiveMap

erik-krogh · erik-krogh · commit 052a3313950c · 2019-11-16T15:20:42.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
@@ -35,16 +35,16 @@ module CleartextLogging {
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
 
     override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl) {
-      // Only unknown property reads on `process.env` propagate taint.
-      (not lbl instanceof ProcessEnvLabel or exists(succ.(DataFlow::PropRead).getPropertyName())) and 
+      // Only unknown property reads on sensitive objects propagate taint.
+      (not lbl instanceof PartiallySensitiveMap or exists(succ.(DataFlow::PropRead).getPropertyName())) and 
       succ.(DataFlow::PropRead).getBase() = pred
     }
        
     override predicate isAdditionalFlowStep(
       DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
     ) {
       trg.(DataFlow::PropRead).getBase() = src and
-      inlbl instanceof ProcessEnvLabel and 
+      inlbl instanceof PartiallySensitiveMap and 
       outlbl.isData() 
     }
     
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -163,7 +163,7 @@ module CleartextLogging {
     }
   }
 
-
+  /** An access to the sensitive object `process.env`. */
   class ProcessEnvSource extends Source {
     ProcessEnvSource() {
       this = NodeJSLib::process().getAPropertyRead("env")
@@ -173,11 +173,16 @@ module CleartextLogging {
     
     override DataFlow::FlowLabel getLabel() {
       result.isData() or 
-      result instanceof ProcessEnvLabel
+      result instanceof PartiallySensitiveMap
     }
   }
-  class ProcessEnvLabel extends DataFlow::FlowLabel{
-    ProcessEnvLabel() {
+  
+  /**
+   * A flow label describing a map that might contain sensitive information in some properties.
+   * Property reads on such maps where the property name is fixed is unlikely to leak sensitive information. 
+   */
+  class PartiallySensitiveMap extends DataFlow::FlowLabel {
+    PartiallySensitiveMap() {
       this = "processEnv"
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -163,7 +163,7 @@ module CleartextLogging {`
`163`	`163`	`}`
`164`	`164`	`}`
`165`	`165`
`166`		`-`
	`166`	+ /** An access to the sensitive object `process.env`. */
`167`	`167`	`class ProcessEnvSource extends Source {`
`168`	`168`	`ProcessEnvSource() {`
`169`	`169`	`this = NodeJSLib::process().getAPropertyRead("env")`
`@@ -173,11 +173,16 @@ module CleartextLogging {`
`173`	`173`
`174`	`174`	`override DataFlow::FlowLabel getLabel() {`
`175`	`175`	`result.isData() or`
`176`		`- result instanceof ProcessEnvLabel`
	`176`	`+ result instanceof PartiallySensitiveMap`
`177`	`177`	`}`
`178`	`178`	`}`
`179`		`- class ProcessEnvLabel extends DataFlow::FlowLabel{`
`180`		`- ProcessEnvLabel() {`
	`179`	`+`
	`180`	`+ /**`
	`181`	`+ * A flow label describing a map that might contain sensitive information in some properties.`
	`182`	`+ * Property reads on such maps where the property name is fixed is unlikely to leak sensitive information.`
	`183`	`+ */`
	`184`	`+ class PartiallySensitiveMap extends DataFlow::FlowLabel {`
	`185`	`+ PartiallySensitiveMap() {`
`181`	`186`	`this = "processEnv"`
`182`	`187`	`}`
`183`	`188`	`}`