codeql
codeql copied to clipboard
github
False positive: Mistaking Username as password if they are set in the same tuple
Description of the false positive
Sometimes when a variable either stores a tuple containing a password and a username and then the username is logged into a file directly after the tuple is split, codeql assumes the username variable is a password, thus reporting Clear-text storage of sensitive information
Code samples or links to source code
Step 1 ControlFlowNode for Subscript
Source
[DataBase.py:845](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L845-L845)
api = config["api"]
username = config["username"]
password = config["password"]
exclusion_titles = config["exclusion_titles"]
return api, username, password, exclusion_titles
except Exception as e:
Step 2 ControlFlowNode for password
[DataBase.py:845](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L845-L845)
api = config["api"]
username = config["username"]
password = config["password"]
exclusion_titles = config["exclusion_titles"]
return api, username, password, exclusion_titles
except Exception as e:
Step 3 ControlFlowNode for Tuple
[DataBase.py:847](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L847-L847)
username = config["username"]
password = config["password"]
exclusion_titles = config["exclusion_titles"]
return api, username, password, exclusion_titles
except Exception as e:
return f"ERROR {e} && 520"
Step 4 ControlFlowNode for read_api()
[DataBase.py:966](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L966-L966)
- str: If the API is invalid, returns a formatted error message.
"""
# Initialize the UserManager and API values
temp = read_api()
if isinstance(temp, str):
if check_ERROR(temp):
return temp
Step 5 ControlFlowNode for temp
[DataBase.py:966](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L966-L966)
- str: If the API is invalid, returns a formatted error message.
"""
# Initialize the UserManager and API values
temp = read_api()
if isinstance(temp, str):
if check_ERROR(temp):
return temp
Step 6 ControlFlowNode for username
[DataBase.py:971](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L971-L971)
if check_ERROR(temp):
return temp
else:
api, username, password, exclusion_titles = temp
if api == "REC":
log.info(
Step 7 ControlFlowNode for Fstring
[DataBase.py:975](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L975-L975)
if api == "REC":
log.info(
f"A request has been made to generate an exam by the user {username}"
)
if um.verify_password(username, password):
DATA = exam_generator(username)
Step 8 ControlFlowNode for message
[DataBase.py:504](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L504-L504)
return time
def info(self, message):
"""
Writes an informational message to the log file.
Step 9 ControlFlowNode for Fstring
[DataBase.py:515](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L515-L515)
None
"""
with open(self.filename, "a") as f:
f.write(f"INFO: {message} at {self.timestamp()}\n")
This expression stores as clear text.
def error(self, message):
"""
URL to the alert on GitHub code scanning (optional)
https://github.com/DefinetlyNotAI/Test-generator/security/code-scanning/50
Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.
In your case it looks like CodeQL treats the entire tuple as tainted without distinguishing the individual components of the tuple.
