Skip to content

Shared: Improve sensitive data heuristics #20024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jul 23, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Original file line number Diff line number Diff line change
@@ -1,29 +1,29 @@
multipleCallTargets
| test.rs:55:7:55:26 | ... .as_str() |
| test.rs:56:7:56:21 | ... .as_str() |
| test.rs:72:7:72:26 | ... .as_str() |
| test.rs:73:7:73:36 | ... .as_str() |
| test.rs:74:7:74:34 | ... .as_str() |
| test.rs:75:7:75:27 | ... .as_str() |
| test.rs:258:7:258:36 | ... .as_str() |
| test.rs:260:7:260:33 | ... .as_str() |
| test.rs:261:7:261:36 | ... .as_str() |
| test.rs:262:7:262:26 | ... .as_str() |
| test.rs:266:7:266:28 | ... .as_str() |
| test.rs:267:7:267:37 | ... .as_str() |
| test.rs:268:7:268:36 | ... .as_str() |
| test.rs:271:7:271:32 | ... .as_str() |
| test.rs:281:7:281:34 | ... .as_str() |
| test.rs:284:7:284:36 | ... .as_str() |
| test.rs:288:7:288:39 | ... .as_str() |
| test.rs:295:7:295:53 | ... .as_str() |
| test.rs:296:7:296:45 | ... .as_str() |
| test.rs:298:7:298:39 | ... .as_str() |
| test.rs:299:7:299:34 | ... .as_str() |
| test.rs:300:7:300:42 | ... .as_str() |
| test.rs:302:7:302:48 | ... .as_str() |
| test.rs:303:7:303:35 | ... .as_str() |
| test.rs:304:7:304:35 | ... .as_str() |
| test.rs:313:8:313:19 | num.as_str() |
| test.rs:324:8:324:19 | num.as_str() |
| test.rs:343:7:343:39 | ... .as_str() |
| test.rs:56:7:56:26 | ... .as_str() |
| test.rs:57:7:57:21 | ... .as_str() |
| test.rs:73:7:73:26 | ... .as_str() |
| test.rs:74:7:74:36 | ... .as_str() |
| test.rs:75:7:75:34 | ... .as_str() |
| test.rs:76:7:76:27 | ... .as_str() |
| test.rs:262:7:262:36 | ... .as_str() |
| test.rs:264:7:264:33 | ... .as_str() |
| test.rs:265:7:265:36 | ... .as_str() |
| test.rs:266:7:266:26 | ... .as_str() |
| test.rs:270:7:270:28 | ... .as_str() |
| test.rs:271:7:271:37 | ... .as_str() |
| test.rs:272:7:272:36 | ... .as_str() |
| test.rs:275:7:275:32 | ... .as_str() |
| test.rs:285:7:285:34 | ... .as_str() |
| test.rs:288:7:288:36 | ... .as_str() |
| test.rs:292:7:292:39 | ... .as_str() |
| test.rs:299:7:299:53 | ... .as_str() |
| test.rs:300:7:300:45 | ... .as_str() |
| test.rs:302:7:302:39 | ... .as_str() |
| test.rs:303:7:303:34 | ... .as_str() |
| test.rs:304:7:304:42 | ... .as_str() |
| test.rs:306:7:306:48 | ... .as_str() |
| test.rs:307:7:307:35 | ... .as_str() |
| test.rs:308:7:308:35 | ... .as_str() |
| test.rs:317:8:317:19 | num.as_str() |
| test.rs:328:8:328:19 | num.as_str() |
| test.rs:347:7:347:39 | ... .as_str() |
80 changes: 42 additions & 38 deletions rust/ql/test/library-tests/sensitivedata/test.rs
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ impl MyStruct {
fn get_password() -> String { get_string() }

fn test_passwords(
password: &str, pass_word: &str, passwd: &str, my_password: &str, password_str: &str,
password: &str, pass_word: &str, passwd: &str, my_password: &str, password_str: &str, password_confirmation: &str,
pass_phrase: &str, passphrase: &str, passPhrase: &str, backup_code: &str,
auth_key: &str, authkey: &str, authKey: &str, authentication_key: &str, authenticationkey: &str, authenticationKey: &str, oauth: &str,
one_time_code: &str,
Expand All @@ -37,6 +37,7 @@ fn test_passwords(
sink(passwd); // $ sensitive=password
sink(my_password); // $ sensitive=password
sink(password_str); // $ sensitive=password
sink(password_confirmation); // $ sensitive=password
sink(pass_phrase); // $ sensitive=password
sink(passphrase); // $ sensitive=password
sink(passPhrase); // $ sensitive=password
Expand All @@ -48,12 +49,12 @@ fn test_passwords(
sink(authentication_key); // $ sensitive=password
sink(authenticationkey); // $ sensitive=password
sink(authenticationKey); // $ sensitive=password
sink(oauth); // $ MISSING: sensitive=password
sink(oauth); // $ sensitive=password
sink(one_time_code); // $ MISSING: sensitive=password

sink(ms); // $ MISSING: sensitive=password
sink(ms.password.as_str()); // $ sensitive=password
sink(ms.mfa.as_str()); // $ MISSING: sensitive=password
sink(ms.mfa.as_str()); // $ sensitive=password

sink(get_password()); // $ sensitive=password
let password2 = get_string();
Expand All @@ -67,10 +68,10 @@ fn test_passwords(
sink(harmless);
sink(encrypted_password);
sink(password_hash);
sink(passwordFile); // $ SPURIOUS: sensitive=password
sink(passwordFile);

sink(ms.harmless.as_str());
sink(ms.password_file_path.as_str()); // $ SPURIOUS: sensitive=password
sink(ms.password_file_path.as_str());
sink(ms.password_enabled.as_str()); // $ SPURIOUS: sensitive=password
sink(ms.numfailed.as_str());

Expand Down Expand Up @@ -127,11 +128,11 @@ fn test_credentials(

sink(hashkey);
sink(hash_key);
sink(sessionkeypath); // $ SPURIOUS: sensitive=id
sink(account_key_path); // $ SPURIOUS: sensitive=id
sink(sessionkeypath);
sink(account_key_path);

sink(ms.get_certificate_url()); // $ SPURIOUS: sensitive=certificate
sink(ms.get_certificate_file()); // $ SPURIOUS: sensitive=certificate
sink(ms.get_certificate_url());
sink(ms.get_certificate_file());

sink(get_public_key());
sink(get_next_token());
Expand Down Expand Up @@ -160,16 +161,19 @@ impl DeviceInfo {
fn test_device_info(&self, other: &DeviceInfo) {
// private device info

sink(&self.api_key); // $ MISSING: sensitive=id
sink(&other.api_key); // $ MISSING: sensitive=id
sink(&self.deviceApiToken); // $ MISSING: sensitive=id
sink(&self.finger_print); // $ MISSING: sensitive=id
sink(&self.ip_address); // $ MISSING: sensitive=id
sink(self.macaddr12); // $ MISSING: sensitive=id
sink(&self.mac_addr); // $ MISSING: sensitive=id
sink(self.mac_addr.values); // $ MISSING: sensitive=id
sink(self.mac_addr.values[0]); // $ MISSING: sensitive=id
sink(&self.networkMacAddress); // $ MISSING: sensitive=id
sink(&self.api_key); // $ sensitive=password
sink(&other.api_key); // $ sensitive=password
sink(&self.deviceApiToken); // $ sensitive=password
sink(self.macaddr12); // $ sensitive=private
sink(&self.mac_addr); // $ sensitive=private
sink(self.mac_addr.values); // $ sensitive=private
sink(self.mac_addr.values[0]); // $ sensitive=private
sink(&self.networkMacAddress); // $ sensitive=private

// dubious (may or may not be private device info, depending on context)

sink(&self.finger_print);
sink(&self.ip_address);

// not private device info

Expand Down Expand Up @@ -267,26 +271,26 @@ fn test_private_info(
sink(info.emergency_contact.as_str()); // $ sensitive=private
sink(info.name_of_employer.as_str()); // $ sensitive=private

sink(&info.gender); // $ MISSING: sensitive=private
sink(info.genderString.as_str()); // $ MISSING: sensitive=private
sink(&info.gender); // $ sensitive=private
sink(info.genderString.as_str()); // $ sensitive=private
let sex = "Male";
let gender = Gender::Female;
let a = Gender::Female;
sink(sex); // $ MISSING: sensitive=private
sink(gender); // $ MISSING: sensitive=private
sink(sex); // $ sensitive=private
sink(gender); // $ sensitive=private
sink(a); // $ MISSING: sensitive=private

sink(info.patient_id); // $ MISSING: sensitive=private
sink(info.linkedPatientId); // $ MISSING: sensitive=private
sink(info.patient_record.as_str()); // $ MISSING: sensitive=private
sink(info.patient_record.trim()); // $ MISSING: sensitive=private
sink(info.patient_id); // $ sensitive=private
sink(info.linkedPatientId); // $ sensitive=private
sink(info.patient_record.as_str()); // $ sensitive=private
sink(info.patient_record.trim()); // $ sensitive=private
sink(&info.medical_notes); // $ sensitive=private
sink(info.medical_notes[0].as_str()); // $ sensitive=private
for n in info.medical_notes.iter() {
sink(n.as_str()); // $ MISSING: sensitive=private
}
sink(info.confidentialMessage.as_str()); // $ MISSING: sensitive=private
sink(info.confidentialMessage.to_lowercase()); // $ MISSING: sensitive=private
sink(info.confidentialMessage.as_str()); // $ sensitive=secret
sink(info.confidentialMessage.to_lowercase()); // $ sensitive=secret

sink(info.latitude); // $ sensitive=private
let x = info.longitude.unwrap();
Expand All @@ -296,12 +300,12 @@ fn test_private_info(
sink(info.financials.credit_card_no.as_str()); // $ sensitive=private
sink(info.financials.credit_rating); // $ sensitive=private
sink(info.financials.user_ccn.as_str()); // $ sensitive=private
sink(info.financials.cvv.as_str()); // $ MISSING: sensitive=private
sink(info.financials.beneficiary.as_str()); // $ MISSING: sensitive=private
sink(info.financials.routing_number); // $ MISSING: sensitive=private
sink(info.financials.routingNumberText.as_str()); // $ MISSING: sensitive=private
sink(info.financials.iban.as_str()); // $ MISSING: sensitive=private
sink(info.financials.iBAN.as_str()); // $ MISSING: sensitive=private
sink(info.financials.cvv.as_str()); // $ sensitive=private
sink(info.financials.beneficiary.as_str()); // $ sensitive=private
sink(info.financials.routing_number); // $ sensitive=private
sink(info.financials.routingNumberText.as_str()); // $ sensitive=private
sink(info.financials.iban.as_str()); // $ sensitive=private
sink(info.financials.iBAN.as_str()); // $ sensitive=private

sink(ContactDetails::HomePhoneNumber("123".to_string())); // $ sensitive=private
sink(ContactDetails::MobileNumber("123".to_string())); // $ sensitive=private
Expand Down Expand Up @@ -343,8 +347,8 @@ fn test_private_info(
sink(info.financials.harmless.as_str());
sink(info.financials.num_accounts); // $ SPURIOUS: sensitive=id
sink(info.financials.total_accounts); // $ SPURIOUS: sensitive=id
sink(info.financials.accounting); // $ SPURIOUS: sensitive=id
sink(info.financials.unaccounted); // $ SPURIOUS: sensitive=id
sink(info.financials.accounting);
sink(info.financials.unaccounted);
sink(info.financials.multiband);

sink(ContactDetails::FavouriteColor("blue".to_string()));
Expand All @@ -362,5 +366,5 @@ impl MyArray {

fn test_iterator() {
let iter = std::iter::repeat(1).take(10);
sink(MyArray::from_trusted_iterator(iter)); // $ SPURIOUS: sensitive=secret
sink(MyArray::from_trusted_iterator(iter));
}
Original file line number Diff line number Diff line change
Expand Up @@ -56,15 +56,16 @@ module HeuristicNames {
* Gets a regular expression that identifies strings that may indicate the presence of secret
* or trusted data.
*/
string maybeSecret() { result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted).*" }
string maybeSecret() {
result = "(?is).*((?<!is|is_)secret|(?<!un|un_|is|is_)trusted(?!_iter)|confidential).*"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the reason for adding (?!_iter) ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Rust there are library methods called from_trusted_iterator, where "trusted" means it's trusted not to overrun the container (or something along those lines), not anything to do with secret or confidential data. There's actually quite a lot of flow from those calls to sinks, i.e. it's causing a good number of false positive results, not to mention wobble in nightly DCA runs. So the exclusion is a bit specific, but I'm very keen to add it.

There is a test case sink(MyArray::from_trusted_iterator(iter)); that resembles (simplified) what we see in the wild.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah makes sense, thanks for clarifying.

}

/**
* Gets a regular expression that identifies strings that may indicate the presence of
* user names or other account information.
*/
string maybeAccountInfo() {
result = "(?is).*acc(ou)?nt.*" or
result = "(?is).*(puid|user.?name|user.?id|session.?(id|key)).*" or
result = "(?is).*(acc(ou)?nt|puid|user.?(name|id)|session.?(id|key)).*" or
result = "(?s).*([uU]|^|_|[a-z](?=U))([uU][iI][dD]).*"
}

Expand All @@ -73,8 +74,9 @@ module HeuristicNames {
* a password or an authorization key.
*/
string maybePassword() {
result = "(?is).*pass(wd|word|code|.?phrase)(?!.*question).*" or
result = "(?is).*(auth(entication|ori[sz]ation)?).?key.*"
result =
"(?is).*(pass(wd|word|code|.?phrase)(?!.*question)|(auth(entication|ori[sz]ation)?).?key|oauth|"
+ "api.?(key|token)|([_-]|\\b)mfa([_-]|\\b)).*"
}

/**
Expand All @@ -90,7 +92,7 @@ module HeuristicNames {
string maybePrivate() {
result =
"(?is).*(" +
// Inspired by the list on https://cwe.mitre.org/data/definitions/359.html
// Inspired by multiple sources including the list on https://cwe.mitre.org/data/definitions/359.html
// Government identifiers, such as Social Security Numbers
"social.?security|employer.?identification|national.?insurance|resident.?id|" +
"passport.?(num|no)|([_-]|\\b)ssn([_-]|\\b)|" +
Expand All @@ -102,17 +104,19 @@ module HeuristicNames {
// Geographic location - where the user is (or was)
"latitude|longitude|nationality|" +
// Financial data - such as credit card numbers, salary, bank accounts, and debts
"(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|acc(ou)?nt.?(no|num|credit)|" +
"salary|billing|credit.?(rating|score)|([_-]|\\b)ccn([_-]|\\b)|" +
"(credit|debit|bank|visa).?(card|num|no|acc(ou)?nt)|acc(ou)?nt.?(no|num|credit)|routing.?num|"
+ "salary|billing|beneficiary|credit.?(rating|score)|([_-]|\\b)(ccn|cvv|iban)([_-]|\\b)|" +
// Communications - e-mail addresses, private e-mail messages, SMS text messages, chat logs, etc.
// "e(mail|_mail)|" + // this seems too noisy
// Health - medical conditions, insurance status, prescription records
"birth.?da(te|y)|da(te|y).?(of.?)?birth|" +
"medical|(health|care).?plan|healthkit|appointment|prescription|" +
"birth.?da(te|y)|da(te|y).?(of.?)?birth|gender|([_-]|\\b)sex([_-]|\\b)|" +
"medical|(health|care).?plan|healthkit|appointment|prescription|patient.?(id|record)|" +
"blood.?(type|alcohol|glucose|pressure)|heart.?(rate|rhythm)|body.?(mass|fat)|" +
"menstrua|pregnan|insulin|inhaler|" +
// Relationships - work and family
"employ(er|ee)|spouse|maiden.?name" +
"employ(er|ee)|spouse|maiden.?name|" +
// Device information
"mac.?addr" +
// ---
").*"
}
Expand Down Expand Up @@ -146,7 +150,8 @@ module HeuristicNames {
*/
string notSensitiveRegexp() {
result =
"(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|(?<!pass)code)|certain|concert|secretar|accountant|accountab).*"
"(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|(?<!pass)code)|"
+ "certain|concert|secretar|account(ant|ab|ing|ed)|file|path|([_-]|\\b)url).*"
}

/**
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The regular expressions in `SensitiveDataHeuristics.qll` have been extended to find more instances of sensitive data such as secrets used in authentication, finance and health information, and device data. The heuristics have also been refined to find fewer false positive matches. This will improve results for queries related to sensitive information.
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy