CleartextLogging: sanitize strings.Split(authheader, ":")[0] and similar

smowton · smowton · commit f6194b52f0bc · 2020-09-10T14:49:24.000+01:00
These can represent a username, method name or other non-sensitive component of an Authorization header. For greater precision we could split the query into one investigating Authorization headers and one investigating other sources of sensitive data that can't be sanitized by splitting this way.
diff --git a/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll b/ql/src/semmle/go/security/CleartextLoggingCustomizations.qll
@@ -183,4 +183,22 @@ module CleartextLogging {
 
     override string describe() { result = "HTTP request headers" }
   }
+
+  /**
+   * The first element of a split by ' '  or ':', often sanitizing a username/password pair
+   * or the "Method value" syntax used in the HTTP Authorization header.
+   */
+  private class NonSensitiveAuthorizationElement extends Barrier, DataFlow::ElementReadNode {
+    NonSensitiveAuthorizationElement() {
+      exists(DataFlow::CallNode splitCall, DataFlow::Node splitAlias |
+        splitCall
+            .getTarget()
+            .hasQualifiedName("strings", ["Split", "SplitN", "SplitAfter", "SplitAfterN"]) and
+        splitCall.getArgument(1).getStringValue() = [" ", ":"] and
+        DataFlow::localFlow(splitCall.getResult(), splitAlias) and
+        this.getBase() = splitAlias
+      ) and
+      this.getIndex().getIntValue() = 0
+    }
+  }
 }
