JS: remove check for test-environment in js/clear-text-logging

Author: Esben Sparre Andreasen

javascript/ql/src/Security/CWE-312/CleartextLogging.ql

@@ -31,25 +31,8 @@ predicate inBrowserEnvironment(TopLevel tl) {
   )
 }
 
-/**
- * Holds if `sink` only is reachable in a "test" environment.
- */
-predicate inTestEnvironment(Sink sink) {
-  exists (IfStmt guard, Identifier id |
-    // heuristic: a deliberate environment choice by the programmer related to passwords implies a test environment
-    id.getName().regexpMatch("(?i).*(test|develop|production).*") and
-    id.(Expr).getParentExpr*() = guard.getCondition() and
-    (
-      guard.getAControlledStmt() = sink.asExpr().getEnclosingStmt() or
-      guard.getAControlledStmt().(BlockStmt).getAChildStmt() = sink.asExpr().getEnclosingStmt()
-    )
-  )
-}
-
 from Configuration cfg, Source source, DataFlow::Node sink
 where cfg.hasFlow(source, sink) and
       // ignore logging to the browser console (even though it is not a good practice)
-      not inBrowserEnvironment(sink.asExpr().getTopLevel()) and
-      // ignore logging when testing
-      not inTestEnvironment(sink)
+      not inBrowserEnvironment(sink.asExpr().getTopLevel())
 select sink, "Sensitive data returned by $@ is logged here.", source, source.describe()

javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -11,7 +11,12 @@
 | passwords.js:29:17:29:20 | obj3 | Sensitive data returned by $@ is logged here. | passwords.js:30:14:30:21 | password | an access to password |
 | passwords.js:78:17:78:38 | temp.en ... assword | Sensitive data returned by $@ is logged here. | passwords.js:77:37:77:53 | req.body.password | an access to password |
 | passwords.js:81:17:81:31 | `pw: ${secret}` | Sensitive data returned by $@ is logged here. | passwords.js:80:18:80:25 | password | an access to password |
+| passwords.js:93:21:93:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:93:39:93:46 | password | an access to password |
+| passwords.js:98:21:98:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:98:39:98:46 | password | an access to password |
+| passwords.js:105:21:105:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:105:39:105:46 | password | an access to password |
+| passwords.js:110:21:110:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:110:39:110:46 | password | an access to password |
 | passwords.js:114:25:114:50 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:114:43:114:50 | password | an access to password |
+| passwords.js:119:21:119:46 | "Passwo ... assword | Sensitive data returned by $@ is logged here. | passwords.js:119:39:119:46 | password | an access to password |
 | passwords.js:122:17:122:49 | name +  ... tring() | Sensitive data returned by $@ is logged here. | passwords.js:122:31:122:38 | password | an access to password |
 | passwords.js:123:17:123:48 | name +  ... lueOf() | Sensitive data returned by $@ is logged here. | passwords.js:123:31:123:38 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |

javascript/ql/test/query-tests/Security/CWE-312/passwords.js

@@ -90,24 +90,24 @@
     console.log("Password is: " + redact('password', password));
 
     if (environment.isTestEnv()) {
-        console.log("Password is: " + password); // OK
+        console.log("Password is: " + password); // OK, but still flagged
     }
 
     if (environment.is(TEST)) {
         // NB: for security reasons, we only log passwords in test environments
-        console.log("Password is: " + password); // OK
+        console.log("Password is: " + password); // OK, but still flagged
     }
 
 
     if (x.test(y)) {
         f();
         // ...
-        console.log("Password is: " + password); // NOT OK, but not flagged
+        console.log("Password is: " + password); // NOT OK
         // ...
     }
 
     if (environment.isTestEnv())
-        console.log("Password is: " + password); // OK
+        console.log("Password is: " + password); // OK, but still flagged
 
     if (x.test(y)) {
         if (f()) {
@@ -116,7 +116,7 @@
     }
 
     if (!environment.isProduction()) {
-        console.log("Password is: " + password); // OK
+        console.log("Password is: " + password); // OK, but still flagged
     }
 
     console.log(name + ", " + password.toString()); // NOT OK