cpp/potential-system-data-exposure: Does printing a username from getpwuid() count as potential exposure of sensitive system data?

[ryao]

https://github.com/ryao/zfs/security/code-scanning/824

https://github.com/ryao/zfs/blob/3881dd42bbfb7297f08e796c38b35d54e11ac500/cmd/zpool/zpool_main.c#L9431-L9431

Does telling a user his own username really count as potential exposure of sensitive information?

I guess this could be dependent on your threat model since a threat model for an IoT device is certainly different from a threat model for a standard multi-user system. However, I wonder if a username, which is public information in most threat models for C/C++ software, really should be counted as sensitive information by cpp/potential-system-data-exposure.

[redsun82]

You are right that the sensitiveness of the username is dependent on the thread model, but that means in the end that it depends on the context in which the C++ program is being run. There are relevant cases when printing the OS username can expose information usable by an attacker, and CodeQL analysis can not really take into account the context in which the whole program is being run. For reference, here's the relevant CWE.

Maybe long term we could think of ways to customise sensitive data categorisation, but until then I guess the only possibility is to consciously dismiss such alerts.