JS: add query js/cleartext-logging

[ghost]

This PR adds a taint analysis query that flags logging of sensitive data in clear text. Logged sensitive data may be stored, so this query is really just a sibling of js/clear-text-storage-of-sensitive-data, they therefore share a qhelp file.

Programmers construct log messages in very different ways, so this query is much more conservative that its sibling. In particular, his query considers "passwords" to be the only source of sensitive data.

Evaluation on our standard benchmarks reveal two true positives, and nothing else.

The performance seems fine for a new security query, here are the numbers for a comparison on the security suite: https://git.semmle.com/gist/esben/3e07f35b8aab1caff35eeab990615d19

[xiemaisi]

Great stuff! Looks like you put a lot of work into fine-tuning the heuristics.

A few suggestions, but overall the results speak for themselves.

[xiemaisi]

Here and below: "clear-text logging" should probably have a dash between "clear" and "text". Also, upper-case LGTM.

[xiemaisi]

OOI, could this lead to false negatives for Electron apps?

[ghost]

I do not think that is a false negative.
This predicate is used to exclude alerts for logging that occurs on the user's own computer since that is innocent in practice.
Both browsers and electron apps (that use browser features) are run on the user's own computer.

[xiemaisi]

Ah, you're right.

[xiemaisi]

Couldn't we leave it to our file classification to hide results in test code?

[ghost]

This does not prevent results in test code, it prevents results like this:

if (environment.isTestEnv()) {
  console.log("Password is: " + password); // OK
}

See the test:
https://github.com/Semmle/ql/pull/73/files#diff-48bc5394f61be303fa92728aec0a85a8R92

[xiemaisi]

I see. To be honest, though, this predicate doesn't make me very happy. It looks very ad-hoc and brittle. Could we come up with something slightly more rigorous?

[ghost]

I have removed the check for now, it does not make a difference on our default benchmarks.

[xiemaisi]

Turn this into qldoc, since we have it anyway?

[xiemaisi]

Really?

[ghost]

Yep.
https://docs.npmjs.com/misc/config#loglevel: "silent", "error", "warn", "notice", "http", "timing", "info", "verbose", "silly"

[xiemaisi]

Oh, good. My favourite in this list is actually "http", though. Well done for not including it in this predicate.

[xiemaisi]

s/cleartext/clear-text/

[xiemaisi]

And below.

[xiemaisi]

This duplicates a fair amount of code from the taint tracking library. Please refactor and reuse.

[ghost]

Done. I made the concatenation part of StringManipulationTaintStep public.
Performance of js/cleartext-logging is unchanged, but I will start a sanity check for the ordinary taint queries now.

[xiemaisi]

Only if they have defined a custom toString, otherwise it'll show [object Object].

[xiemaisi]

exists (DataFlow::SourceNode base |
  this = base.getAPropertyRead(name) and
  // avoid (...)
  not base.getAPropertyWrite(name).getRhs() instanceof NonCleartextPassword
)

[xiemaisi]

write = this.(DataFlow::SourceNode).getAWrite(name) and

[xiemaisi]

@felicity-semmle, who should we request a doc review from? (I can @-mention @Semmle/doc, but can't request a review.)

[mchammer01]

mc-semmle ;-)

[xiemaisi]

Thanks; unfortunately I cannot request a review from you either (maybe you need to get yourself added to the Semmle organisation or something?).

[mchammer01]

I believe Pavel added me to the Semmle organization and to the docteam. How strange.

[mchammer01]

Clear-text logging (with an hyphen)?

[mchammer01]

line 18: to look up

[ghost]

All comments addressed.

[xiemaisi]

One more nit.

[xiemaisi]

This description sounds weird to me. Who or what can expose it to an attacker?

Perhaps rephrase as "Logging sensitive information without encryption or hashing (...)".

[xiemaisi]

Oh, good. My favourite in this list is actually "http", though. Well done for not including it in this predicate.

[ghost]

Removed last nit with an amend.