Python: Private Data Cleartext Storage/Logging #3899
Conversation
|
Hello, I recently mentioned this on another one of my PRs, but but several of my PRs have review requests from codeql-python (from which I have not received any feedback). I am unsure if I need official approval from codeql-python for experimental queries so if I can have some guidance on how to remove the review request from codeql-python and instead get someone else to take a look so I can get them potentially merged as experimental queries, that would be great. These queries that I have written and currently are waiting upon review from codeql-python are: Python: XML RPC Dotted Names Thank you so much! |
All Python submissions -- even the ones that are initially being merged into Regarding your submissions, I can't give a firm guarantee on when they will be reviewed. As I mentioned elsewhere, we're currently focusing all of our energy on improving the core Python QL libraries, and it may be a while before we get round to your PRs. Thank you for your patience. 🙂 |
|
Hi @tausbn, that makes sense. And I completely understand the focus on restructuring the libraries at the moment. |
|
Thank you very much for your patience! I think the restructuring is sufficiently in place now. I made a comment on your other PR. This one, I am so not sure about, it seems very heuristic, but I can see it would be useful in certain contexts. Has it per chance been superseded by other work in the gap time? |
Added new library and corresponding queries for storage/logging of cleartext private data. This already exists for sensitive expressions (CWE-311) but would be helpful to have for private data as well, as we already have for C# (seen in C# queries CWE-312 and CWE-359). The PrivateData.qll library includes information corresponding to government identifiers, as opposed to the credential-related information stored in SensitiveData.qll, but still important to keep encrypted before storing/logging as mentioned above.