Address review comments

Author: knewbury01

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.md

@@ -6,11 +6,11 @@ Data that may expose system information such as full path names, system informat
 
 ## Recommendation
 
-CAP applications should not log sensitive information.
+CAP applications should not log sensitive information. Sensitive information can include: full path names, system information, usernames, passwords or any personally identifiable information. Make sure to log only information that is not sensitive, or obfuscate/encrypt sensitive information any time that it is logged.
 
 ## Examples
 
-This CAP service directly logs the sensitive information.
+This CAP service directly logs the sensitive information. Potential attackers may gain access to this sensitive information when the log output is displayed or when the attacker gains access to the log, and the info is not obfuscated or encrypted.
 
 ``` javascript
 import cds from '@sap/cds'
@@ -19,6 +19,7 @@ const LOG = cds.log("logger");
 class SampleVulnService extends cds.ApplicationService {
     init() {
         LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
+        LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
     }
 }
 ```

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.ql

@@ -15,17 +15,30 @@ import javascript
 import advanced_security.javascript.frameworks.cap.CDS
 import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
 private import semmle.javascript.security.dataflow.CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
-import DataFlow::PathGraph
 
-class SensitiveLogExposureConfig extends TaintTracking::Configuration {
-  SensitiveLogExposureConfig() { this = "SensitiveLogExposure" }
+module SensitiveLogExposureConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
+  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
+    CleartextLogging::isAdditionalTaintStep(src, trg)
+  }
+
+  predicate isBarrier(DataFlow::Node sink) { sink instanceof CleartextLogging::Barrier }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
+    // Assume all properties of a logged object are themselves logged.
+    contents = DataFlow::ContentSet::anyProperty() and
+    isSink(node)
+  }
 }
 
-from SensitiveLogExposureConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+module SensitiveLogExposureFlow = TaintTracking::Global<SensitiveLogExposureConfig>;
+
+import SensitiveLogExposureFlow::PathGraph
+
+from SensitiveLogExposureFlow::PathNode source, SensitiveLogExposureFlow::PathNode sink
+where SensitiveLogExposureFlow::flowPath(source, sink)
 select sink, source, sink, "This logs sensitive data returned by $@ as clear text.",
   source.getNode(), source.getNode().(CleartextLogging::Source).describe()

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.expected

@@ -1,17 +1,18 @@
-WARNING: module 'PathGraph' has been deprecated and may be removed in future (SensitiveExposureHeuristicSource.ql:18,8-27)
-WARNING: type 'Configuration' has been deprecated and may be removed in future (SensitiveExposureHeuristicSource.ql:20,42-70)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposureHeuristicSource.ql:28,41-59)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposureHeuristicSource.ql:28,68-86)
-nodes
-| sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` |
-| sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` |
-| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) |
-| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env |
-| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env |
 edges
-| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` |
-| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` |
-| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) |
-| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) |
+| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | provenance |  |
+| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | provenance |  |
+| sensitive-exposure-heuristic-source.js:8:13:10:9 | obj [x] | sensitive-exposure-heuristic-source.js:11:18:11:20 | obj | provenance |  |
+| sensitive-exposure-heuristic-source.js:8:19:10:9 | {\\n      ...       } [x] | sensitive-exposure-heuristic-source.js:8:13:10:9 | obj [x] | provenance |  |
+| sensitive-exposure-heuristic-source.js:9:16:9:23 | password | sensitive-exposure-heuristic-source.js:8:19:10:9 | {\\n      ...       } [x] | provenance |  |
+nodes
+| sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | semmle.label | `[INFO] ... .env)}` |
+| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | semmle.label | JSON.st ... ss.env) |
+| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | semmle.label | process.env |
+| sensitive-exposure-heuristic-source.js:8:13:10:9 | obj [x] | semmle.label | obj [x] |
+| sensitive-exposure-heuristic-source.js:8:19:10:9 | {\\n      ...       } [x] | semmle.label | {\\n      ...       } [x] |
+| sensitive-exposure-heuristic-source.js:9:16:9:23 | password | semmle.label | password |
+| sensitive-exposure-heuristic-source.js:11:18:11:20 | obj | semmle.label | obj |
+subpaths
 #select
 | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | This logs sensitive data returned by $@ as clear text. | sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | process environment |
+| sensitive-exposure-heuristic-source.js:11:18:11:20 | obj | sensitive-exposure-heuristic-source.js:9:16:9:23 | password | sensitive-exposure-heuristic-source.js:11:18:11:20 | obj | This logs sensitive data returned by $@ as clear text. | sensitive-exposure-heuristic-source.js:9:16:9:23 | password | an access to password |

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js

@@ -4,5 +4,17 @@ const LOG = cds.log("logger");
 class SampleVulnService extends cds.ApplicationService {
     init() {
         LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
+
+        var obj = {
+            x: password
+        };
+        LOG.info(obj); // CAP log exposure alert
+
+        LOG.info(obj.x.replace(/./g, "*")); // NO CAP log exposure alert - replace as sanitizer 
+
+        var user = {
+            password: encryptLib.encryptPassword(password)
+        };
+        LOG.info(user); // NO CAP log exposure alert - encrypted data is fine
     }
 }