Skip to content

Add sensitive exposure split query #207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add sensitive exposure split query #207

wants to merge 5 commits into from

Conversation

knewbury01
Copy link
Contributor

@knewbury01 knewbury01 commented Jul 24, 2025
edited
Loading

What This PR Contributes

  • a new CAP query that uses out of the box javascript-all sources from this out of the box query . The query does not use the same sources as the js/cap-sensitive-log query (to avoid duplications) but does use the CAP specific sinks and therefore also avoids duplication of alerts with the out of the box query.

Future Works

none at this time

@knewbury01 knewbury01 requested a review from jeongsoolee09 July 24, 2025 18:10
@knewbury01 knewbury01 self-assigned this Jul 24, 2025
@jeongsoolee09
Copy link
Contributor

Can we rename the Likely/likely suffix to HeuristicSource / heuristic-source? I believe that conveys the meaning better.

jeongsoolee09
jeongsoolee09 requested changes Aug 1, 2025
View reviewed changes
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First round of thoughts.

jeongsoolee09
jeongsoolee09 reviewed Aug 5, 2025
View reviewed changes
javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.ql
Comment on lines +30 to +35
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
// Assume all properties of a logged object are themselves logged.
contents = DataFlow::ContentSet::anyProperty() and
isSink(node)
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this do? What kind of code does this intend to capture?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its from the out of the box queries, and is very necessary, it means that the definition of a variable being "read" includes any access of its properties (I think at sink locations only, as opposed to overall field sensitivity as an additional flow step would capture)

I dont really see any other form of documentation anywhere talking about this common predicate/to add to the comment but for our own understanding, if you want, searching for "allowImplicitRead" in slack across all channels does find some refs to it and a bit of useful conversation confirming that this is the intended use of that

jeongsoolee09
jeongsoolee09 requested changes Aug 5, 2025
View reviewed changes
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a second round of review.

@jeongsoolee09
Copy link
Contributor

Also, please add a description of the relationship of this query to the existing SensitiveExposure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeongsoolee09 jeongsoolee09 jeongsoolee09 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@knewbury01 knewbury01

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@knewbury01 @jeongsoolee09