Warn on use of variable named pass/password

Also, allow PATCH http verb, though it looks like java still prohibits that at a deeper level, so need to do some playing dirty to finish making that work.
EngineHub · Mar 13, 2020 · 1cc870d40cafd33fc70f9a540fbb9eda0bc7ce6b · 1cc870d
1 parent fe99506
commit 1cc870d40cafd33fc70f9a540fbb9eda0bc7ce6b
diff --git a/src/main/java/com/laytonsmith/PureUtilities/Web/HTTPMethod.java b/src/main/java/com/laytonsmith/PureUtilities/Web/HTTPMethod.java
@@ -4,5 +4,5 @@
  * This enum contains all the valid HTTP methods.
  */
 public enum HTTPMethod {
-	POST, GET, HEAD, OPTIONS, PUT, DELETE, TRACE;
+	POST, GET, HEAD, OPTIONS, PUT, DELETE, TRACE, PATCH;
 }
diff --git a/src/main/java/com/laytonsmith/core/compiler/FileOptions.java b/src/main/java/com/laytonsmith/core/compiler/FileOptions.java
@@ -336,7 +336,12 @@ public Version since() {
 		CodeUpgradeNotices("Code that uses old formats should generally be upgraded to newer versions."
 				+ " This is encouraged to make code more readable, and is not a deprecation notice. This type of"
 				+ " warning is only displayed in strict mode, and is even still suppressable.", MSVersion.V3_3_4,
-				SeverityLevel.LOW);
+				SeverityLevel.LOW),
+		UseOfSecureString("When storing sensitive information such as passwords, it is adviseable to use the"
+				+ " secure_string class instead of string. There is first class language support for this in"
+				+ " many places, but in general makes it harder to accidentally leak sensitive data in for"
+				+ " example log messages, even when passing the data around to code that accepts strings.",
+				MSVersion.V3_3_4, SeverityLevel.MEDIUM);
 
 		private SuppressWarning(String docs, Version version, SeverityLevel severityLevel) {
 			this.docs = docs;

diff --git a/src/main/java/com/laytonsmith/core/functions/BasicLogic.java b/src/main/java/com/laytonsmith/core/functions/BasicLogic.java
@@ -154,7 +154,7 @@ public CBoolean exec(Target t, Environment env, Mixed... args) throws CancelComm
 
 		@Override
 		public String docs() {
-			return "boolean {var1, var2[, varX...]} Returns true or false if all the arguments are equal. Operator syntax is"
+			return "boolean {var1, var2[, varX...]} Returns true if all the arguments are equal. Operator syntax is"
 					+ " also supported: @a == @b";
 		}
 

diff --git a/src/main/java/com/laytonsmith/core/functions/DataHandling.java b/src/main/java/com/laytonsmith/core/functions/DataHandling.java
@@ -389,6 +389,21 @@ public ParseTree optimizeDynamic(Target t, Environment env,
 							new CompilerWarning(msg, t, null));
 				}
 			}
+			{
+				// Check for declaration of variables named "pass" or "password" and see if it's defined as a
+				// secure_string. If not, warn.
+				if(children.get(0).getData() instanceof CClassType && children.get(1).getData() instanceof IVariable) {
+					boolean isString
+							= ((CClassType) children.get(0).getData()).getNativeType() == CString.class;
+					String varName = ((IVariable) children.get(1).getData()).getVariableName();
+					if((varName.equalsIgnoreCase("pass") || varName.equalsIgnoreCase("password"))
+							&& isString) {
+						String msg = "";
+						env.getEnv(CompilerEnvironment.class).addCompilerWarning(fileOptions,
+								new CompilerWarning(msg, t, FileOptions.SuppressWarning.CodeUpgradeNotices));
+					}
+				}
+			}
 			if(children.get(0).getData() instanceof CFunction && array_get.equals(children.get(0).getData().val())) {
 				if(children.get(0).getChildAt(1).getData() instanceof CSlice) {
 					CSlice cs = (CSlice) children.get(0).getChildAt(1).getData();
@@ -410,6 +425,7 @@ public ParseTree optimizeDynamic(Target t, Environment env,
 					return tree;
 				}
 			}
+
 			return null;
 		}