codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

Python: Private Data Cleartext Storage/Logging

Open dilanbhalla opened this issue 5 years ago • 4 comments

Added new library and corresponding queries for storage/logging of cleartext private data. This already exists for sensitive expressions (CWE-311) but would be helpful to have for private data as well, as we already have for C# (seen in C# queries CWE-312 and CWE-359). The PrivateData.qll library includes information corresponding to government identifiers, as opposed to the credential-related information stored in SensitiveData.qll, but still important to keep encrypted before storing/logging as mentioned above.

dilanbhalla avatar Jul 04 '20 07:07 dilanbhalla

Hello,

I recently mentioned this on another one of my PRs, but but several of my PRs have review requests from codeql-python (from which I have not received any feedback). I am unsure if I need official approval from codeql-python for experimental queries so if I can have some guidance on how to remove the review request from codeql-python and instead get someone else to take a look so I can get them potentially merged as experimental queries, that would be great.

These queries that I have written and currently are waiting upon review from codeql-python are:

Python: XML RPC Dotted Names Python: Private Data Cleartext Storage/Logging Python: Module not intended for production Python: Open URL without Certificate Validation

Thank you so much!

dilanbhalla avatar Jul 12 '20 22:07 dilanbhalla

I recently mentioned this on another one of my PRs, but but several of my PRs have review requests from codeql-python (from which I have not received any feedback). I am unsure if I need official approval from codeql-python for experimental queries so if I can have some guidance on how to remove the review request from codeql-python and instead get someone else to take a look so I can get them potentially merged as experimental queries, that would be great.

All Python submissions -- even the ones that are initially being merged into experimental -- have to be reviewed by someone from the Python team before merging. This is to ensure that the contributed code is up to our usual standards.

Regarding your submissions, I can't give a firm guarantee on when they will be reviewed. As I mentioned elsewhere, we're currently focusing all of our energy on improving the core Python QL libraries, and it may be a while before we get round to your PRs.

Thank you for your patience. :slightly_smiling_face:

tausbn avatar Jul 13 '20 09:07 tausbn

Hi @tausbn, that makes sense. And I completely understand the focus on restructuring the libraries at the moment.

dilanbhalla avatar Jul 13 '20 16:07 dilanbhalla

Thank you very much for your patience! I think the restructuring is sufficiently in place now. I made a comment on your other PR. This one, I am so not sure about, it seems very heuristic, but I can see it would be useful in certain contexts. Has it per chance been superseded by other work in the gap time?

yoff avatar Feb 22 '24 08:02 yoff