Python/JS: Share sensitive data modeling#5739
Conversation
Initially I had called `nameIndicatesSensitiveData` for `maybeSensitiveName`, which made the relationship with `maybeSensitive` and `notSensitive` quite strange -- and therefore I added the more informative `maybeSensitiveRegexp` and `notSensitiveRegexp`. Although I'm no longer using `maybeSensitiveName`, and I no longer have a strong argument for making this name change, I still like it. If someone thinks this is a terrible idea, I'm happy to change it though 👍
which also prompted me to rewrite the QLDoc for `nameIndicatesSensitiveData`
Although there are warnings for the new deprecated classes/predicates, the test in javascript/ql/test/library-tests/SensitiveActions/ passes 👍
I added this predicate mostly because it was nice with an easy shortcut for it, but also since I spotted the `CredentialsFunctionName` not checking agaisnt the regexps in `notSensitive`, which looked suspicious. So the main goal of adding `nameIndicatesSensitiveData` is that you don't accidentially forget to ensure that the name doesn't match against `notSensitve`.
Someone from JS team needs to verify that this is actually OK.
| // match the regexps in `notSensitive`? | ||
| this.regexpMatch(maybeSensitive(classification)) | ||
| } | ||
| CredentialsFunctionName() { nameIndicatesSensitiveData(this, classification) } |
There was a problem hiding this comment.
It looks OK to me.
It effectively just adds not this.regexpMatch(notSensitive()).
But I don't think I've touched this code, so someone else might have another opinion.
There was a problem hiding this comment.
I also think it is fine.
In the worst case we would lose results that would be likely FPs.
There was a problem hiding this comment.
Thanks 👍 that was my conclusion as well, I just didn't want to take the sole responsibility for this 😅
erik-krogh
left a comment
There was a problem hiding this comment.
JS 👍
Just a single note about a deprecation comment.
javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
Show resolved
Hide resolved
yoff
left a comment
There was a problem hiding this comment.
Generally this is quite nice, I like the code sharing and the shortcut and I am happy with the naming of things. I had one question about some of the deprecated code, though.
| * That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the | ||
| * given classification), and none of the regexps from `notSensitiveRegexp` matches |
There was a problem hiding this comment.
Is it intentional that both "rexeps" and "regexps" is used? (and would it be more mainstream to use "regexes"?)
There was a problem hiding this comment.
just a typo, will fix up 👍
There was a problem hiding this comment.
It would probably be more mainstream to use regexes... but I wanted to match the wording we use in CodeQL, which is regexp, for example in regexpMatch
| /** DEPRECATED: Use `SensitiveDataClassification::secret` instead. */ | ||
| deprecated predicate secret = SensitiveDataClassification::secret/0; | ||
|
|
||
| /** Gets the classification for user names or other account information. */ | ||
| Classification id() { result = "id" } | ||
| /** DEPRECATED: Use `SensitiveDataClassification::id` instead. */ | ||
| deprecated predicate id = SensitiveDataClassification::id/0; | ||
|
|
||
| /** Gets the classification for passwords or authorization keys. */ | ||
| Classification password() { result = "password" } | ||
| /** DEPRECATED: Use `SensitiveDataClassification::password` instead. */ | ||
| deprecated predicate password = SensitiveDataClassification::password/0; | ||
|
|
||
| /** Gets the classification for certificates. */ | ||
| Classification certificate() { result = "certificate" } | ||
| /** DEPRECATED: Use `SensitiveDataClassification::certificate` instead. */ | ||
| deprecated predicate certificate = SensitiveDataClassification::certificate/0; |
There was a problem hiding this comment.
Should these keep their return type?
There was a problem hiding this comment.
I would say that they do. They used to have Classification as return type, and Classification is now an alias for SensitiveDataClassification (line 28)... so their return type is still Classification in some sense.
There was a problem hiding this comment.
Ah, I just saw that it said predicate secret rather than SensitiveDataClassification secret. I guess I am not used to the predicate reference syntax.
| * That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the | ||
| * given classification), and none of the regexps from `notSensitiveRegexp` matches | ||
| * `name`. |
There was a problem hiding this comment.
Is it intentional that both "rexeps" and "regexps" are used? (and would it be more mainstream to use "regexes"?)
There was a problem hiding this comment.
I see that this comment shows up twice. I had it on one of the individual commits and did not see it in the view of all commits, so I wrote it again..
Python had an (outdated) copy of the sensitive data modeling from JS. This PR adds a
qlllibrary that is shared between languages.However, doing so introduces a problem of where to put the language-independent model. For this case, where it's not supposed to be used directly by an end-user, but rather re-exported by an other
.qllfile we provide, I opted for putting the model in aninternalfolder. I'm not feeling very strongly about this, so if someone has better ideas, I'm very open to suggestions.I would strongly recommend reviewing commit-by-commit (I also included info in the commit messages of individual commits). I don't have a very good solution for checking that the final shared library matches what was in the JS files (that is commit 0d08718 is ok) -- guess you just have to go through it predicate-by-predicate 🤷
Creating as draft PR until someone tells me that my change in 08e86fd is semantically OK.