Closed as not planned
Closed as not planned
Description
Description of the false positive
Sometimes when a variable either stores a tuple containing a password and a username and then the username is logged into a file directly after the tuple is split, codeql assumes the username variable is a password, thus reporting Clear-text storage of sensitive information
Code samples or links to source code
Step 1 ControlFlowNode for Subscript
Source
[DataBase.py:845](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L845-L845)
api = config["api"]
username = config["username"]
password = config["password"]
exclusion_titles = config["exclusion_titles"]
return api, username, password, exclusion_titles
except Exception as e:
Step 2 ControlFlowNode for password
[DataBase.py:845](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L845-L845)
api = config["api"]
username = config["username"]
password = config["password"]
exclusion_titles = config["exclusion_titles"]
return api, username, password, exclusion_titles
except Exception as e:
Step 3 ControlFlowNode for Tuple
[DataBase.py:847](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L847-L847)
username = config["username"]
password = config["password"]
exclusion_titles = config["exclusion_titles"]
return api, username, password, exclusion_titles
except Exception as e:
return f"ERROR {e} && 520"
Step 4 ControlFlowNode for read_api()
[DataBase.py:966](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L966-L966)
- str: If the API is invalid, returns a formatted error message.
"""
# Initialize the UserManager and API values
temp = read_api()
if isinstance(temp, str):
if check_ERROR(temp):
return temp
Step 5 ControlFlowNode for temp
[DataBase.py:966](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L966-L966)
- str: If the API is invalid, returns a formatted error message.
"""
# Initialize the UserManager and API values
temp = read_api()
if isinstance(temp, str):
if check_ERROR(temp):
return temp
Step 6 ControlFlowNode for username
[DataBase.py:971](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L971-L971)
if check_ERROR(temp):
return temp
else:
api, username, password, exclusion_titles = temp
if api == "REC":
log.info(
Step 7 ControlFlowNode for Fstring
[DataBase.py:975](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L975-L975)
if api == "REC":
log.info(
f"A request has been made to generate an exam by the user {username}"
)
if um.verify_password(username, password):
DATA = exam_generator(username)
Step 8 ControlFlowNode for message
[DataBase.py:504](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L504-L504)
return time
def info(self, message):
"""
Writes an informational message to the log file.
Step 9 ControlFlowNode for Fstring
[DataBase.py:515](https://github.com/DefinetlyNotAI/Test-generator/blob/813d517b26e7c3a25b0781d187d5ce3b42cad172/DataBase.py#L515-L515)
None
"""
with open(self.filename, "a") as f:
f.write(f"INFO: {message} at {self.timestamp()}\n")
This expression stores as clear text.
def error(self, message):
"""
URL to the alert on GitHub code scanning (optional)
https://github.com/DefinetlyNotAI/Test-generator/security/code-scanning/50