Skip to content

Python/JS: Share sensitive data modeling#5739

Merged
yoff merged 10 commits intogithub:mainfrom
RasmusWL:share-sensitive-data-modeling
May 11, 2021
Merged

Python/JS: Share sensitive data modeling#5739
yoff merged 10 commits intogithub:mainfrom
RasmusWL:share-sensitive-data-modeling

Conversation

@RasmusWL
Copy link
Member

Python had an (outdated) copy of the sensitive data modeling from JS. This PR adds a qll library that is shared between languages.

However, doing so introduces a problem of where to put the language-independent model. For this case, where it's not supposed to be used directly by an end-user, but rather re-exported by an other .qll file we provide, I opted for putting the model in an internal folder. I'm not feeling very strongly about this, so if someone has better ideas, I'm very open to suggestions.

I would strongly recommend reviewing commit-by-commit (I also included info in the commit messages of individual commits). I don't have a very good solution for checking that the final shared library matches what was in the JS files (that is commit 0d08718 is ok) -- guess you just have to go through it predicate-by-predicate 🤷

Creating as draft PR until someone tells me that my change in 08e86fd is semantically OK.

Initially I had called `nameIndicatesSensitiveData` for `maybeSensitiveName`,
which made the relationship with `maybeSensitive` and `notSensitive` quite
strange -- and therefore I added the more informative `maybeSensitiveRegexp` and
`notSensitiveRegexp`.

Although I'm no longer using `maybeSensitiveName`, and I no longer have a strong
argument for making this name change, I still like it. If someone thinks this is
a terrible idea, I'm happy to change it though 👍
which also prompted me to rewrite the QLDoc for `nameIndicatesSensitiveData`
Although there are warnings for the new deprecated classes/predicates, the test
in javascript/ql/test/library-tests/SensitiveActions/ passes 👍
I added this predicate mostly because it was nice with an easy shortcut for it,
but also since I spotted the `CredentialsFunctionName` not checking agaisnt the
regexps in `notSensitive`, which looked suspicious. So the main goal of adding
`nameIndicatesSensitiveData` is that you don't accidentially forget to ensure
that the name doesn't match against `notSensitve`.
Someone from JS team needs to verify that this is actually OK.
@RasmusWL RasmusWL requested a review from a team April 21, 2021 09:51
// match the regexps in `notSensitive`?
this.regexpMatch(maybeSensitive(classification))
}
CredentialsFunctionName() { nameIndicatesSensitiveData(this, classification) }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks OK to me.
It effectively just adds not this.regexpMatch(notSensitive()).

But I don't think I've touched this code, so someone else might have another opinion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think it is fine.
In the worst case we would lose results that would be likely FPs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍 that was my conclusion as well, I just didn't want to take the sole responsibility for this 😅

@RasmusWL RasmusWL marked this pull request as ready for review April 22, 2021 12:40
@RasmusWL RasmusWL requested a review from a team as a code owner April 22, 2021 12:40
@RasmusWL RasmusWL added the no-change-note-required This PR does not need a change note label Apr 22, 2021
@erik-krogh erik-krogh self-assigned this Apr 28, 2021
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JS 👍

Just a single note about a deprecation comment.

@RasmusWL RasmusWL requested a review from erik-krogh April 28, 2021 09:51
erik-krogh
erik-krogh previously approved these changes Apr 28, 2021
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JS 👍

Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally this is quite nice, I like the code sharing and the shortcut and I am happy with the naming of things. I had one question about some of the deprecated code, though.

Comment on lines 121 to 122
* That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the
* given classification), and none of the regexps from `notSensitiveRegexp` matches
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intentional that both "rexeps" and "regexps" is used? (and would it be more mainstream to use "regexes"?)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a typo, will fix up 👍

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would probably be more mainstream to use regexes... but I wanted to match the wording we use in CodeQL, which is regexp, for example in regexpMatch

Comment on lines +30 to +40
/** DEPRECATED: Use `SensitiveDataClassification::secret` instead. */
deprecated predicate secret = SensitiveDataClassification::secret/0;

/** Gets the classification for user names or other account information. */
Classification id() { result = "id" }
/** DEPRECATED: Use `SensitiveDataClassification::id` instead. */
deprecated predicate id = SensitiveDataClassification::id/0;

/** Gets the classification for passwords or authorization keys. */
Classification password() { result = "password" }
/** DEPRECATED: Use `SensitiveDataClassification::password` instead. */
deprecated predicate password = SensitiveDataClassification::password/0;

/** Gets the classification for certificates. */
Classification certificate() { result = "certificate" }
/** DEPRECATED: Use `SensitiveDataClassification::certificate` instead. */
deprecated predicate certificate = SensitiveDataClassification::certificate/0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these keep their return type?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would say that they do. They used to have Classification as return type, and Classification is now an alias for SensitiveDataClassification (line 28)... so their return type is still Classification in some sense.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I just saw that it said predicate secret rather than SensitiveDataClassification secret. I guess I am not used to the predicate reference syntax.

Comment on lines +119 to +121
* That is, one of the rexeps from `maybeSensitiveRegexp` matches `name` (with the
* given classification), and none of the regexps from `notSensitiveRegexp` matches
* `name`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intentional that both "rexeps" and "regexps" are used? (and would it be more mainstream to use "regexes"?)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that this comment shows up twice. I had it on one of the individual commits and did not see it in the view of all commits, so I wrote it again..

Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yoff yoff merged commit 549c9ee into github:main May 11, 2021
@RasmusWL RasmusWL deleted the share-sensitive-data-modeling branch May 11, 2021 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

JS no-change-note-required This PR does not need a change note Python

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants