Accuracy improvements for py/clear-text-logging-sensitive-data

[tacu22]

Description of the issue
Hey, I found two common cases where the rule doesn't match in my codebase. One creates noise, the other misses a real leak.

First, SecretStr masks text automatically (e.g., prints '**********'). Logging these objects is safe, but the rule flags them.

from pydantic import SecretStr

password = SecretStr("super_secret")
logging.info("Login: %s", password) # Flagged, but actually safe

2. Logging an exception object leaks its message (via str), but the rule misses this if the secret is inside the exception.

secret_token = "secret_123"
# logging.error("Auth failed: %s", secret_token)  # Detected ✅
try:
    raise ValueError("Auth failed: {}".format(secret_token))
except ValueError as e:
    # Currently NOT flagged, but leaks 'secret_123' via __str__ ❌
    logging.error("Auth failed: %s", e)  

Maybe we should add the first pattern to the sanitizers and add the second one as a propagator in the taint tracking config.

[redsun82]

👋 @tacu22 thanks for reaching out.

A sanitizer on SecretStr calls won't unfortunately help for your first case, because the query is currently based on a heuristic on variable names, so the taint actually stems from the password variable name, after SecretStr has been applied. Fixing this would require a change into how sources are detected, by excluding those that have a flow from sanitizers like this one.

For the latter, this does make sense, but it might have problematic performance implications. For example Java doesn't have flow through exceptions precisely for that reason. But I don't know if this is the case for Python as well.

I forwarded this to our team working on Python analysis.