Skip to content

JS: add "uid" (and friends) as maybe being sensitive account info #5897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codeql-ci merged 3 commits into from
May 17, 2021
Merged

JS: add "uid" (and friends) as maybe being sensitive account info #5897

codeql-ci merged 3 commits into from
May 17, 2021

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented May 13, 2021
edited
Loading

TP/TN for CVE-2020-7660

An LGTM showing which variables are now treated as sensitive reveals some FPs.
(Like this getUid method in bootstrap).
But generally I think the new results look good.

An evaluation shows some noisy performance. And about the same amount of FPs as the above LGTM run.

@github-actions github-actions bot added the JS label May 13, 2021
@erik-krogh erik-krogh added no-change-note-required This PR does not need a change note Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish labels May 14, 2021
@erik-krogh erik-krogh marked this pull request as ready for review May 17, 2021 08:32
@erik-krogh erik-krogh requested review from a team as code owners May 17, 2021 08:32
esbena
esbena approved these changes May 17, 2021
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At first I thought this was a bit too ad hoc and would be too noisy, and that other queries that js/insecure-randomness also should be evaluated.
But then I noticed that we already treated the similar puid as sensitive, so I suppose this change is benign in practice.

RasmusWL
RasmusWL approved these changes May 17, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No objections on the Python part 👍

@erik-krogh erik-krogh removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label May 17, 2021
@codeql-ci codeql-ci merged commit 12b1bbe into github:main May 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RasmusWL RasmusWL RasmusWL approved these changes

@esbena esbena esbena approved these changes

Assignees

No one assigned

Labels

JS no-change-note-required This PR does not need a change note Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@erik-krogh @RasmusWL @esbena @codeql-ci