feat(python): extend logger rule (CWE-532) (#389)

Bearer · May 16, 2024 · 34dbcf6 · 34dbcf6
1 parent 51891d8
commit 34dbcf6
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 57 deletions.
diff --git a/rules/python/lang/logger.yml b/rules/python/lang/logger.yml
@@ -1,23 +1,47 @@
 imports:
   - python_shared_lang_datatype
+  - python_shared_lang_instance
+  - python_shared_lang_import1
 patterns:
-  - pattern: logging.$<METHOD>($<DATA_TYPE>)
+  - pattern: $<LOGGER>.$<METHOD>($<DATA_TYPE>)
     filters:
+      - variable: LOGGER
+        detection: python_lang_logger_init
       - variable: METHOD
         values:
+          - critical
           - debug
-          - warning
-          - info
           - error
+          - exception
+          - info
+          - log
+          - warning
       - variable: DATA_TYPE
         detection: python_shared_lang_datatype
         scope: result
+auxiliary:
+  - id: python_lang_logger_init
+    patterns:
+      - pattern: $<LOGGER>
+        filters:
+          - variable: LOGGER
+            detection: python_shared_lang_instance
+            scope: cursor_strict
+            filters:
+              - variable: CLASS
+                detection: python_shared_lang_import1
+                scope: cursor
+                filters:
+                  - variable: MODULE1
+                    values: [logging]
+                  - variable: NAME
+                    values: [getLogger]
 languages:
   - python
 skip_data_types:
   - "Unique Identifier"
 metadata:
-  description: "Leakage of sensitive information in logger message"
+  description: Leakage of sensitive information in logger message
   remediation_message: |-
     ## Description
 

diff --git a/tests/python/lang/logger/test.js b/tests/python/lang/logger/test.js
@@ -6,35 +6,14 @@ const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
 
 describe(ruleId, () => {
   const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+  test("main", () => {
+    const testCase = "main.py"
 
-
-    test("bad", () => {
-      const testCase = "bad.py"
+    const results = invoke(testCase)
 
-      const results = invoke(testCase)
-
-      expect(results.Missing).toEqual([])
-      expect(results.Extra).toEqual([])
-    })
-
-
-    test("ok", () => {
-      const testCase = "ok.py"
-
-      const results = invoke(testCase)
-
-      expect(results.Missing).toEqual([])
-      expect(results.Extra).toEqual([])
-    })
-
-
-    test("shared_datatype", () => {
-      const testCase = "shared_datatype.py"
-
-      const results = invoke(testCase)
-
-      expect(results.Missing).toEqual([])
-      expect(results.Extra).toEqual([])
+    expect(results).toEqual({
+      Missing: [],
+      Extra: []
     })
-
+  })
 })
diff --git a/tests/python/lang/logger/testdata/bad.py b/tests/python/lang/logger/testdata/bad.py
diff --git a/tests/python/lang/logger/testdata/main.py b/tests/python/lang/logger/testdata/main.py
@@ -0,0 +1,18 @@
+import logging
+
+myLogger = logging.getLogger(__name__)
+
+def bad(user):
+  # bearer:expected python_lang_logger
+  myLogger.info(f"User '{user.email}' logged")
+
+def bad2(user):
+  # bearer:expected python_lang_logger
+  myLogger.debug(f"Some debug info about '{user.email}'")
+
+import logging as something_else
+
+def bad3(user):
+  myOtherLogger = something_else.getLogger(__name__)
+  # bearer:expected python_lang_logger
+  myOtherLogger.debug(f"User '{user.email}' logged")
diff --git a/tests/python/lang/logger/testdata/ok.py b/tests/python/lang/logger/testdata/ok.py
diff --git a/tests/python/lang/logger/testdata/shared_datatype.py b/tests/python/lang/logger/testdata/shared_datatype.py