From a1d479e9751715b63a5ff5e21ae2208221d58254 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Wed, 4 Mar 2020 17:10:04 +0000
Subject: [PATCH 1/2] JS: Declassify sensitive exprs with special characters

---
 .../ql/src/semmle/javascript/security/SensitiveActions.qll   | 5 +++--
 javascript/ql/test/library-tests/SensitiveActions/tst.js     | 4 ++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
index d3bcc289a50c..0a5a701ab820 100644
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -63,10 +63,11 @@ module HeuristicNames {
 
   /**
    * Gets a regular expression that identifies strings that may indicate the presence of data
-   * that is hashed or encrypted, and hence rendered non-sensitive.
+   * that is hashed or encrypted, and hence rendered non-sensitive, or contains special characters
+   * suggesting nouns within the string do not represent the meaning of the whole string (e.g. a URL or a SQL query).
    */
   string notSensitive() {
-    result = "(?is).*(redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
+    result = "(?is).*([^\\w$.-]|redact|censor|obfuscate|hash|md5|sha|((?<!un)(en))?(crypt|code)).*"
   }
 }
 
diff --git a/javascript/ql/test/library-tests/SensitiveActions/tst.js b/javascript/ql/test/library-tests/SensitiveActions/tst.js
index b867627e8ee7..c4a627b742c5 100644
--- a/javascript/ql/test/library-tests/SensitiveActions/tst.js
+++ b/javascript/ql/test/library-tests/SensitiveActions/tst.js
@@ -22,3 +22,7 @@ secret;
 
 require("process").exit();
 global.process.exit();
+
+get("https://example.com/news?password=true")
+get("https://username:password@example.com")
+execute("SELECT * FROM users WHERE password=?")

From a9a9c14eea930edfd7fbbf10521c6668a39d2a0f Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Thu, 5 Mar 2020 14:48:29 +0000
Subject: [PATCH 2/2] JS: Change note

---
 change-notes/1.24/analysis-javascript.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/change-notes/1.24/analysis-javascript.md b/change-notes/1.24/analysis-javascript.md
index 1a666cea01cd..bbedb3bc1f4f 100644
--- a/change-notes/1.24/analysis-javascript.md
+++ b/change-notes/1.24/analysis-javascript.md
@@ -64,6 +64,7 @@
 | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed and used. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. |
 | Syntax error (`js/syntax-error`) | Lower severity | This results of this query are now displayed with lower severity. |
+| Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes additional cases that do not require secure hashing. |
 
 ## Changes to libraries