Skip to content

Commit b4952e7

Browse files
author
Esben Sparre Andreasen
committed
JS: improve and expose SensitiveActions::HeuristicNames
1 parent 804c06b commit b4952e7

File tree

1 file changed

+28
-18
lines changed

1 file changed

+28
-18
lines changed

javascript/ql/src/semmle/javascript/security/SensitiveActions.qll

Lines changed: 28 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -11,27 +11,37 @@
1111

1212
import javascript
1313

14-
/** A regular expression that identifies strings that look like they represent secret data that are not passwords. */
15-
private string suspiciousNonPassword() {
16-
result = "(?is).*(secret|account|accnt|(?<!un)trusted).*"
17-
}
18-
/** A regular expression that identifies strings that look like they represent secret data that are passwords. */
19-
private string suspiciousPassword() {
20-
result = "(?is).*(password|passwd).*"
21-
}
22-
23-
/** A regular expression that identifies strings that look like they represent secret data. */
24-
private string suspicious() {
25-
result = suspiciousPassword() or result = suspiciousNonPassword()
26-
}
27-
2814
/**
29-
* A string for `match` that identifies strings that look like they represent secret data that is
30-
* hashed or encrypted.
15+
* Provides heuristics for identifying names related to sensitive information.
16+
*
17+
* INTERNAL: Do not use directly.
3118
*/
32-
private string nonSuspicious() {
33-
result = "(?is).*(hash|(?<!un)encrypted|\\bcrypt\\b).*"
19+
module HeuristicNames {
20+
21+
/** A regular expression that identifies strings that look like they represent secret data that are not passwords. */
22+
string suspiciousNonPassword() {
23+
result = "(?is).*(secret|account|accnt|(?<!un)trusted).*"
24+
}
25+
/** A regular expression that identifies strings that look like they represent secret data that are passwords. */
26+
string suspiciousPassword() {
27+
result = "(?is).*(password|passwd).*"
28+
}
29+
30+
/** A regular expression that identifies strings that look like they represent secret data. */
31+
string suspicious() {
32+
result = suspiciousPassword() or result = suspiciousNonPassword()
33+
}
34+
35+
/**
36+
* A regular expression that identifies strings that look like they represent data that is
37+
* hashed or encrypted.
38+
*/
39+
string nonSuspicious() {
40+
result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
41+
}
42+
3443
}
44+
private import HeuristicNames
3545

3646
/** An expression that might contain sensitive data. */
3747
abstract class SensitiveExpr extends Expr {

0 commit comments

Comments
 (0)