-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathCleartextStorage.ql
More file actions
40 lines (31 loc) · 1.19 KB
/
CleartextStorage.ql
File metadata and controls
40 lines (31 loc) · 1.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
/**
* @name Clear-text storage of sensitive information
* @description Sensitive information stored without encryption or hashing can expose it to an
* attacker.
* @kind path-problem
* @problem.severity error
* @precision high
* @id py/clear-text-storage-sensitive-data
* @tags security
* external/cwe/cwe-312
* external/cwe/cwe-315
* external/cwe/cwe-359
*/
import python
import semmle.python.security.Paths
import semmle.python.security.TaintTracking
import semmle.python.security.SensitiveData
import semmle.python.security.ClearText
class CleartextStorageConfiguration extends TaintTracking::Configuration {
CleartextStorageConfiguration() { this = "ClearTextStorage" }
override predicate isSource(TaintSource src) {
src instanceof SensitiveData::Source
}
override predicate isSink(TaintSink sink) {
sink instanceof ClearTextStorage::Sink
}
}
from CleartextStorageConfiguration config, TaintedPathSource source, TaintedPathSink sink
where config.hasFlowPath(source, sink)
select sink.getSink(), source, sink, "Sensitive data from $@ is stored here.",
source.getSource(), source.getNode().(SensitiveData::Source).repr()