Skip to content

Conversation

@hvitved
Copy link
Contributor

@hvitved hvitved commented Mar 16, 2023

This query was written before we had proper support for flow through hashes.

The first commit adds a couple of additional tests that reveal both a false positive result and a false negative result, both of which are fixed in the subsequent commit.

@github-actions github-actions bot added the Ruby label Mar 16, 2023
@hvitved hvitved force-pushed the ruby/clear-text-logging-hashes branch from 737b8b8 to f87291d Compare March 16, 2023 13:49
@hvitved hvitved force-pushed the ruby/clear-text-logging-hashes branch from f87291d to 9d3863e Compare March 16, 2023 13:56
#select
| app/controllers/users_controller.rb:5:39:5:50 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:5:39:5:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password |
| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password |
| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:7:41:7:52 | new_password | a write to password |
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These extra results are because we both consider the write to the variable new_password to be a source, as well as the write to the hash key password.

@hvitved hvitved marked this pull request as ready for review March 16, 2023 14:19
@hvitved hvitved requested a review from a team as a code owner March 16, 2023 14:19
Copy link
Contributor

@alexrford alexrford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@hvitved hvitved merged commit ee01e9a into github:main Mar 17, 2023
@hvitved hvitved deleted the ruby/clear-text-logging-hashes branch March 17, 2023 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants