search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.5k stars 1.49k forks source link

False positive: Mistaking Username as password if they are set in the same tuple #16976

Open DefinetlyNotAI opened 1 month ago

DefinetlyNotAI commented 1 month ago

Description of the false positive

Sometimes when a variable either stores a tuple containing a password and a username and then the username is logged into a file directly after the tuple is split, codeql assumes the username variable is a password, thus reporting Clear-text storage of sensitive information

Code samples or links to source code

Step 1 ControlFlowNode for Subscript
Source
[DataBase.py:845](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L845-L845)

        api = config["api"]
        username = config["username"]
        password = config["password"]
        exclusion_titles = config["exclusion_titles"]
        return api, username, password, exclusion_titles
    except Exception as e:
Step 2 ControlFlowNode for password
[DataBase.py:845](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L845-L845)

        api = config["api"]
        username = config["username"]
        password = config["password"]
        exclusion_titles = config["exclusion_titles"]
        return api, username, password, exclusion_titles
    except Exception as e:
Step 3 ControlFlowNode for Tuple
[DataBase.py:847](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L847-L847)
        username = config["username"]
        password = config["password"]
        exclusion_titles = config["exclusion_titles"]
        return api, username, password, exclusion_titles
    except Exception as e:
        return f"ERROR {e} && 520"

Step 4 ControlFlowNode for read_api()
[DataBase.py:966](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L966-L966)
            - str: If the API is invalid, returns a formatted error message.
            """
            # Initialize the UserManager and API values
            temp = read_api()
            if isinstance(temp, str):
                if check_ERROR(temp):
                    return temp
Step 5 ControlFlowNode for temp
[DataBase.py:966](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L966-L966)
            - str: If the API is invalid, returns a formatted error message.
            """
            # Initialize the UserManager and API values
            temp = read_api()
            if isinstance(temp, str):
                if check_ERROR(temp):
                    return temp
Step 6 ControlFlowNode for username
[DataBase.py:971](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L971-L971)
                if check_ERROR(temp):
                    return temp
            else:
                api, username, password, exclusion_titles = temp

            if api == "REC":
                log.info(
Step 7 ControlFlowNode for Fstring
[DataBase.py:975](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L975-L975)

            if api == "REC":
                log.info(
                    f"A request has been made to generate an exam by the user {username}"
                )
                if um.verify_password(username, password):
                    DATA = exam_generator(username)
Step 8 ControlFlowNode for message
[DataBase.py:504](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L504-L504)

        return time

    def info(self, message):
        """
        Writes an informational message to the log file.
Step 9 ControlFlowNode for Fstring

[DataBase.py:515](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L515-L515)
            None
        """
        with open(self.filename, "a") as f:
            f.write(f"INFO: {message} at {self.timestamp()}\n")
This expression stores  as clear text.

    def error(self, message):
        """

URL to the alert on GitHub code scanning (optional)

https://github.com/DefinetlyNotAI/Test-generator/security/code-scanning/50

aibaars commented 1 month ago

Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.

In your case it looks like CodeQL treats the entire tuple as tainted without distinguishing the individual components of the tuple.