Skip to content

Add sensitive exposure split query #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add sensitive exposure split query #207

wants to merge 3 commits into from
+87 −0

Conversation

knewbury01
Copy link
Contributor

@knewbury01 knewbury01 commented Jul 24, 2025
edited
Loading

What This PR Contributes

  • a new CAP query that uses out of the box javascript-all sources from this out of the box query . The query does not use the same sources as the js/cap-sensitive-log query (to avoid duplications) but does use the CAP specific sinks and therefore also avoids duplication of alerts with the out of the box query.

Future Works

none at this time

@knewbury01 knewbury01 requested a review from jeongsoolee09 July 24, 2025 18:10
@knewbury01 knewbury01 self-assigned this Jul 24, 2025
@jeongsoolee09
Copy link
Contributor

Can we rename the Likely/likely suffix to HeuristicSource / heuristic-source? I believe that conveys the meaning better.

jeongsoolee09
jeongsoolee09 reviewed Aug 1, 2025
View reviewed changes
javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.md

## Examples

This CAP service directly logs the sensitive information.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add more details to how this vulnerability can be exploited?

jeongsoolee09
jeongsoolee09 reviewed Aug 1, 2025
View reviewed changes
javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.md

## Recommendation

CAP applications should not log sensitive information.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be great to add some examples of sensitive information and ways to mitigate it.

jeongsoolee09
jeongsoolee09 reviewed Aug 1, 2025
View reviewed changes
javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.ql
Comment on lines +23 to +25
override predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }

override predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 Aug 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add an appropriate sanitizer definition (either from CAP or predefined) and add a test case that uses such sanitizer.

jeongsoolee09
jeongsoolee09 requested changes Aug 1, 2025
View reviewed changes
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First round of thoughts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeongsoolee09 jeongsoolee09 jeongsoolee09 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@knewbury01 knewbury01

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@knewbury01 @jeongsoolee09