1010 */
1111
1212import javascript
13-
14- /**
15- * Provides heuristics for identifying names related to sensitive information.
16- *
17- * INTERNAL: Do not use directly.
18- */
19- module HeuristicNames {
20- /**
21- * Gets a regular expression that identifies strings that may indicate the presence of secret
22- * or trusted data.
23- */
24- string maybeSecret ( ) { result = "(?is).*((?<!is)secret|(?<!un|is)trusted).*" }
25-
26- /**
27- * Gets a regular expression that identifies strings that may indicate the presence of
28- * user names or other account information.
29- */
30- string maybeAccountInfo ( ) {
31- result = "(?is).*acc(ou)?nt.*" or
32- result = "(?is).*(puid|username|userid).*"
33- }
34-
35- /**
36- * Gets a regular expression that identifies strings that may indicate the presence of
37- * a password or an authorization key.
38- */
39- string maybePassword ( ) {
40- result = "(?is).*pass(wd|word|code|phrase)(?!.*question).*" or
41- result = "(?is).*(auth(entication|ori[sz]ation)?)key.*"
42- }
43-
44- /**
45- * Gets a regular expression that identifies strings that may indicate the presence of
46- * a certificate.
47- */
48- string maybeCertificate ( ) { result = "(?is).*(cert)(?!.*(format|name)).*" }
49-
50- /**
51- * Gets a regular expression that identifies strings that may indicate the presence
52- * of sensitive data, with `classification` describing the kind of sensitive data involved.
53- */
54- string maybeSensitive ( SensitiveExpr:: Classification classification ) {
55- result = maybeSecret ( ) and classification = SensitiveExpr:: secret ( )
56- or
57- result = maybeAccountInfo ( ) and classification = SensitiveExpr:: id ( )
58- or
59- result = maybePassword ( ) and classification = SensitiveExpr:: password ( )
60- or
61- result = maybeCertificate ( ) and classification = SensitiveExpr:: certificate ( )
62- }
63-
64- /**
65- * Gets a regular expression that identifies strings that may indicate the presence of data
66- * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters
67- * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
68- */
69- string notSensitive ( ) {
70- result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
71- }
72- }
73-
13+ import semmle.javascript.security.internal.SensitiveDataHeuristics
7414private import HeuristicNames
7515
7616/** An expression that might contain sensitive data. */
@@ -82,33 +22,22 @@ abstract class SensitiveExpr extends Expr {
8222 abstract SensitiveExpr:: Classification getClassification ( ) ;
8323}
8424
85- module SensitiveExpr {
86- /**
87- * A classification of different kinds of sensitive data:
88- *
89- * - secret: generic secret or trusted data;
90- * - id: a user name or other account information;
91- * - password: a password or authorization key;
92- * - certificate: a certificate.
93- *
94- * While classifications are represented as strings, this should not be relied upon.
95- * Instead, use the predicates below to work with classifications.
96- */
97- class Classification extends string {
98- Classification ( ) { this = "secret" or this = "id" or this = "password" or this = "certificate" }
99- }
25+ /** DEPRECATED: Use `SensitiveDataClassification` and helpers instead. */
26+ deprecated module SensitiveExpr {
27+ /** DEPRECATED: Use `SensitiveDataClassification` instead. */
28+ deprecated class Classification = SensitiveDataClassification ;
10029
101- /** Gets the classification for secret or trusted data . */
102- Classification secret ( ) { result = " secret" }
30+ /** DEPRECATED: Use `SensitiveDataClassification:: secret` instead . */
31+ deprecated predicate secret = SensitiveDataClassification :: secret / 0 ;
10332
104- /** Gets the classification for user names or other account information . */
105- Classification id ( ) { result = "id" }
33+ /** DEPRECATED: Use `SensitiveDataClassification::id` instead . */
34+ deprecated predicate id = SensitiveDataClassification :: id / 0 ;
10635
107- /** Gets the classification for passwords or authorization keys . */
108- Classification password ( ) { result = " password" }
36+ /** DEPRECATED: Use `SensitiveDataClassification::password` instead . */
37+ deprecated predicate password = SensitiveDataClassification :: password / 0 ;
10938
110- /** Gets the classification for certificates . */
111- Classification certificate ( ) { result = " certificate" }
39+ /** DEPRECATED: Use `SensitiveDataClassification::certificate` instead . */
40+ deprecated predicate certificate = SensitiveDataClassification :: certificate / 0 ;
11241}
11342
11443/** A function call that might produce sensitive data. */
0 commit comments