Skip to content

Swift: Make the cleartext logging query consistent with other cleartext-* queries. #13163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
geoffw0 merged 4 commits into from
May 23, 2023
Merged

Swift: Make the cleartext logging query consistent with other cleartext-* queries. #13163

geoffw0 merged 4 commits into from
May 23, 2023

Conversation

@geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented May 15, 2023

Make the cleartext logging query consistent with other cleartext-* queries.

  • update the query ID from swift/clear-text-* to swift/cleartext-*, to match the other queries; we don't like to change query IDs, but doing it before public beta will have negligible effect compared to after.
  • update the result message; I found while debugging these queries that in some cases the additional information (about the source) provided by the other queries made it easier to sort through similar results.

@geoffw0 geoffw0 added no-change-note-required This PR does not need a change note Swift labels May 15, 2023
@geoffw0 geoffw0 requested a review from a team as a code owner May 15, 2023 11:03
MathiasVP
MathiasVP reviewed May 16, 2023
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comment and a suggestion, but otherwise this LGTM

swift/ql/src/queries/Security/CWE-312/CleartextLogging.ql
Comment on lines +24 to +26
"This operation writes '" + sink.toString() +
"' to a log file. It may contain unencrypted sensitive data from $@.", source,
source.getNode().toString()
Copy link
Contributor

@MathiasVP MathiasVP May 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a lot of very different alert messages across languages for this query:

  • Go: "$@ flows to a logging call."
  • Python: "This expression logs $@ as clear text."
  • JS: "This logs sensitive data returned by $@ as clear text."
  • Ruby: "This logs sensitive data returned by $@ as clear text."

Are any of those alert messages better than the one we have right now for Swift?

Copy link
Contributor Author

@geoffw0 geoffw0 May 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main thing I care about is describing the source in the string, so that in a list of results (e.g. on MRVA) ones that are different from the others immediately stand out (without having to click through). The phrasing I've gone for here is just similar to the other swift/cleartext-* queries.

I do like the Go one for it's simplicity, but I think what we have is clear and consistent.

@redsun82 redsun82 changed the base branch from main to codeql-cli-2.13.3 May 23, 2023 12:44
@geoffw0 geoffw0 merged commit b2a958f into github:codeql-cli-2.13.3 May 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MathiasVP MathiasVP MathiasVP approved these changes

Assignees

No one assigned

Labels

no-change-note-required This PR does not need a change note Swift

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@geoffw0 @MathiasVP @redsun82