Skip to content

Go : Improvements to Timing Attacks query#13645

Merged
owen-mc merged 2 commits intomainfrom
unknown repository
Aug 1, 2023
Merged

Go : Improvements to Timing Attacks query#13645
owen-mc merged 2 commits intomainfrom
unknown repository

Conversation

@ghost
Copy link

@ghost ghost commented Jul 2, 2023

Includes changes suggested in github/securitylab#757 (comment)
cc @Kwstubbs

@ghost ghost self-requested a review as a code owner July 2, 2023 12:59
@github-actions github-actions bot added the Go label Jul 2, 2023
@owen-mc
Copy link
Contributor

owen-mc commented Jul 19, 2023

In SensitiveCompareSink do you really want ComparisonExpr, which includes <, <=, >= and >? I think you might just want == and !=, in which case you should use EqualityTestExpr.

c.getArgument(_).asExpr() = op1 and
op1.getClassification() = [SensitiveExpr::secret(), SensitiveExpr::password()] and
// exclude grant to avoid FP from OAuth
not op1.getClassification().matches("%grant%") and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain where "%grant" comes from?

@ghost
Copy link
Author

ghost commented Jul 25, 2023

@owen-mc Changes done!

Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test failures aren't your fault. They were fixed by #13824. Please merge in/rebase on main to get the fix.

@owen-mc owen-mc merged commit a8c6444 into github:main Aug 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant