Rust: Sensitive data library #18414
Rust: Sensitive data library #18414
Conversation
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
| sink(pass_phrase); // $ MISSING: sensitive=password | ||
| sink(auth_key); // $ MISSING: sensitive=password |
There was a problem hiding this comment.
should we add those?
we should also consider that snake-case is the convention in rust for variables (by default you even have that flagged and many IDEs propose to fix the case automatically), so I think we should add snakecase counterparts to the camelcase heuristics (auth_key and authentication_key).
Also, if we add pass_phrase/passPhrase, we should probably also add passphrase.
There was a problem hiding this comment.
should we add those?
Yes we should, but I'd like to do it in the shared library and that requires agreement from other language teams (and wider testing). So it'll be a follow-up PR, and it is planned.
if we add pass_phrase/passPhrase, we should probably also add passphrase.
The regexs are all case insensitive, so passPhrase and passphrase should both be matched. I can add some test cases around this if you like?
There was a problem hiding this comment.
I'm going to hit merge on this PR now. As I said above, I plan to do more work on the sensitive data library in the near future so I'm more than happy to take further suggestions / feedback.
There was a problem hiding this comment.
I should add, you're 100% right that the frequency of snake_case is a quirk of Rust that I should be paying more attention to.
| sink(authenticationkey); // $ sensitive=password | ||
| sink(authKey); // $ sensitive=password | ||
|
|
||
| sink(ms); // $ MISSING: sensitive=password |
There was a problem hiding this comment.
Why should this one be sensitive=password?
There was a problem hiding this comment.
Because ms is a MyStruct which contains a sensitive field password. So if you transmitted the whole of ms plaintext you would be transmitting a password (and some other stuff) unencrypted.
Add a library for recognising sensitive data in Rust. The core logic in
SensitiveDataHeuristics.qllis shared between languages, the integration inSensitiveData.qllis Rust specific (so are the tests and summary queries).The implementation here is a bit minimal, there's a lot I want to improve both in the integration and in the shared library. However I'm keen to get something in place and working so that I can start building queries on top of this alongside making improvements to it.