Ruby/JS/Py: Add "random" to the notSensitiveRegexp() heuristic

alexrford · alexrford · commit 0f3cf47ca9ac · 2022-03-10T17:38:52.000Z
diff --git a/javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll b/javascript/ql/lib/semmle/javascript/security/internal/SensitiveDataHeuristics.qll
@@ -98,7 +98,7 @@ module HeuristicNames {
    * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
    */
   string notSensitiveRegexp() {
-    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|code)).*"
   }
 
   /**
diff --git a/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll b/python/ql/lib/semmle/python/security/internal/SensitiveDataHeuristics.qll
@@ -98,7 +98,7 @@ module HeuristicNames {
    * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
    */
   string notSensitiveRegexp() {
-    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|code)).*"
   }
 
   /**
diff --git a/ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll b/ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll
@@ -98,7 +98,7 @@ module HeuristicNames {
    * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
    */
   string notSensitiveRegexp() {
-    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|random|((?<!un)(en))?(crypt|code)).*"
   }
 
   /**
diff --git a/ruby/ql/test/query-tests/security/cwe-312/app/controllers/users_controller.rb b/ruby/ql/test/query-tests/security/cwe-312/app/controllers/users_controller.rb
@@ -63,4 +63,12 @@ def fileWrites
     # BAD: plaintext password stored to disk
     File.new("bar.txt", "a").puts("password: #{new_password}")
   end
+
+  def randomPasswordAssign
+    user = User.find(1)
+    random_password = SecureRandom.hex(20)
+    # GOOD: the `random_password` value here looks like the hash of an unknown password
+    user.password = random_password
+    user.save
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ module HeuristicNames {`
`98`	`98`	`* suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).`
`99`	`99`	`*/`
`100`	`100`	`string notSensitiveRegexp() {`
`101`		`- result = "(?is).([^\\w$.-]\|redact\|censor\|obfuscate\|hash\|md5\|sha\|((?<!un)(en))?(crypt\|code))."`
	`101`	`+ result = "(?is).([^\\w$.-]\|redact\|censor\|obfuscate\|hash\|md5\|sha\|random\|((?<!un)(en))?(crypt\|code))."`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`/**`