Module SensitiveActions

Provides classes and predicates for identifying sensitive data and methods for security.

‘Sensitive’ data in general is anything that should not be sent around in unencrypted form. This library tries to guess where sensitive data may either be stored in a variable or produced by a method.

In addition, there are methods that ought not to be executed or not in a fashion that the user can control. This includes authorization methods such as logins, and sending of data, etc.

Import path

import semmle.code.csharp.security.SensitiveActions

Imports

Forms	Provides definitions related to the namespace `System.Windows.Forms`.
csharp	The default C# QL library.

Classes

AdditionalNonSensitiveStrings	A string for `match` that identifies strings that look like they don’t represent secret data.
AdditionalSensitiveStrings	A string for `match` that identifies strings that look like they represent secret data.
AuthMethod	A method that may perform authorization.
CredentialsMethod	A method that might return sensitive data, based on the name.
PasswordExpr	An expression that may contain a password.
PasswordField	A field containing a text box used as a password.
PasswordTextboxText	Reading the `Text` property of a password text box.
SendingMethod	A method that sends data, and so should not be run conditionally on user input.
SensitiveDataMethod	A method that may produce sensitive data.
SensitiveExecutionMethod	A method whose execution may be sensitive.
SensitiveExecutionMethodCall	A call to a method that sends data, and so should not be run conditionally on user input.
SensitiveExpr	An expression that might contain sensitive data.
SensitiveLibraryParameter	A parameter to a library method that may hold a sensitive value.
SensitiveMethodAccess	A method access that might produce sensitive data.
SensitiveProperty	A property that may hold a sensitive value.
SensitiveVariable	A variable that may hold a sensitive value.
SensitiveVariableAccess	An access to a variable that might contain sensitive data.