Skip to content
Permalink
Browse files

Warn on use of variable named pass/password

Also, allow PATCH http verb, though it looks like java still prohibits
that at a deeper level, so need to do some playing dirty to finish
making that work.
  • Loading branch information
LadyCailin committed Mar 13, 2020
1 parent fe99506 commit 1cc870d40cafd33fc70f9a540fbb9eda0bc7ce6b
@@ -4,5 +4,5 @@
* This enum contains all the valid HTTP methods.
*/
public enum HTTPMethod {
POST, GET, HEAD, OPTIONS, PUT, DELETE, TRACE;
POST, GET, HEAD, OPTIONS, PUT, DELETE, TRACE, PATCH;
}
@@ -336,7 +336,12 @@ public Version since() {
CodeUpgradeNotices("Code that uses old formats should generally be upgraded to newer versions."
+ " This is encouraged to make code more readable, and is not a deprecation notice. This type of"
+ " warning is only displayed in strict mode, and is even still suppressable.", MSVersion.V3_3_4,
SeverityLevel.LOW);
SeverityLevel.LOW),
UseOfSecureString("When storing sensitive information such as passwords, it is adviseable to use the"
+ " secure_string class instead of string. There is first class language support for this in"
+ " many places, but in general makes it harder to accidentally leak sensitive data in for"
+ " example log messages, even when passing the data around to code that accepts strings.",
MSVersion.V3_3_4, SeverityLevel.MEDIUM);

private SuppressWarning(String docs, Version version, SeverityLevel severityLevel) {
this.docs = docs;
@@ -154,7 +154,7 @@ public CBoolean exec(Target t, Environment env, Mixed... args) throws CancelComm

@Override
public String docs() {
return "boolean {var1, var2[, varX...]} Returns true or false if all the arguments are equal. Operator syntax is"
return "boolean {var1, var2[, varX...]} Returns true if all the arguments are equal. Operator syntax is"
+ " also supported: @a == @b";
}

@@ -389,6 +389,21 @@ public ParseTree optimizeDynamic(Target t, Environment env,
new CompilerWarning(msg, t, null));
}
}
{
// Check for declaration of variables named "pass" or "password" and see if it's defined as a
// secure_string. If not, warn.
if(children.get(0).getData() instanceof CClassType && children.get(1).getData() instanceof IVariable) {
boolean isString
= ((CClassType) children.get(0).getData()).getNativeType() == CString.class;
String varName = ((IVariable) children.get(1).getData()).getVariableName();
if((varName.equalsIgnoreCase("pass") || varName.equalsIgnoreCase("password"))
&& isString) {
String msg = "";
env.getEnv(CompilerEnvironment.class).addCompilerWarning(fileOptions,
new CompilerWarning(msg, t, FileOptions.SuppressWarning.CodeUpgradeNotices));
}
}
}
if(children.get(0).getData() instanceof CFunction && array_get.equals(children.get(0).getData().val())) {
if(children.get(0).getChildAt(1).getData() instanceof CSlice) {
CSlice cs = (CSlice) children.get(0).getChildAt(1).getData();
@@ -410,6 +425,7 @@ public ParseTree optimizeDynamic(Target t, Environment env,
return tree;
}
}

return null;
}

0 comments on commit 1cc870d

Please sign in to comment.
You can’t perform that action at this time.