java: Added Java/Kotlin Sensitive Logging barriers (substrings) #20741
+124
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aegilops
changed the title
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for detecting substring operations as sanitizer barriers in sensitive logging analysis for both Java and Kotlin. The implementation takes a conservative approach by allowing substring operations that extract up to 7 characters, which can help mitigate the logging of sensitive data.
Key Changes:
- Introduced abstract
SensitiveLoggerBarrierclass for sanitizer barriers - Implemented substring-based sanitizers supporting Java
String.substring()and Kotlintake()/takeLast()methods - Refactored existing sanitizers into a new
GenericSanitizerclass
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll | Core implementation adding SensitiveLoggerBarrier abstraction, SensitiveLoggerSanitizerCalled for substring operations with helper predicates, IntegerToArgConfig for constant propagation, and refactored GenericSanitizer |
| java/ql/test/query-tests/security/CWE-532/Test.java | Added test cases demonstrating safe usage of substring(4) and substring(0,4) on sensitive auth tokens |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /** | ||
| * A sanitizer that may remove sensitive information from a string before logging. | ||
| * | ||
| * It allows for substring operations taking the first N (or last N, for Kotlin) characters, limited to 7 or fewer. |
There was a problem hiding this comment.
[nitpick] Extra space before "It allows". The documentation comment should have consistent spacing - either one space after the asterisk for all lines, or align the text.
Suggested change
| * It allows for substring operations taking the first N (or last N, for Kotlin) characters, limited to 7 or fewer. | |
| * It allows for substring operations taking the first N (or last N, for Kotlin) characters, limited to 7 or fewer. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Logging of sensitive data can be mitigated by taking a substring of the data.
This affects the library used by
java/sensitive-log(CWE 532).The exact length suitable will vary by application, but this change takes a conservative approach and allows either
substringortake/takeLastof up to 7 characters.Complex redaction with a regular expression, replacement of particular characters, a substring not at the start or end of the string, or a conditional substring (such as with Apache StringUtils) are not supported in this sanitizer.
There is a new abstraction for sanitizer barriers, along with logic to detect substring operations that restrict logged data to a safe length in both Java and Kotlin code. The existing sanitizers are pulled into a new class called
GenericSanitizer, which implements the new abstract class, alongside the new sanitizer.The safe length restriction must be done in the analyzed code with a compile-time constant integer, but the integer can reach the substring operation using taint.