Shared: Fix for 'api_tok'.

geoffw0 · geoffw0 · commit 213ab902cd68 · 2026-05-06T14:34:15.000+01:00
diff --git a/rust/ql/test/library-tests/sensitivedata/test.rs b/rust/ql/test/library-tests/sensitivedata/test.rs
@@ -58,7 +58,7 @@ fn test_passwords(
 	sink(oauth); // $ sensitive=password
 	sink(one_time_code); // $ MISSING: sensitive=password
 	sink(api_token); // $ sensitive=password
-	sink(api_tok); // $ MISSING: sensitive=password
+	sink(api_tok); // $ sensitive=password
 
 	sink(ms); // $ MISSING: sensitive=password
 	sink(ms.password.as_str()); // $ sensitive=password
diff --git a/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll b/shared/concepts/codeql/concepts/internal/SensitiveDataHeuristics.qll
@@ -76,7 +76,7 @@ module HeuristicNames {
   string maybePassword() {
     result =
       "(?is).*(pass(wd|word|code|.?phrase)(?!.*question)|(auth(entication|ori[sz]ation)?).?key|oauth|"
-        + "api.?(key|token)|([_-]|\\b)mfa([_-]|\\b)).*"
+        + "api.?(key|tok)|([_-]|\\b)mfa([_-]|\\b)).*"
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ module HeuristicNames {`
`76`	`76`	`string maybePassword() {`
`77`	`77`	`result =`
`78`	`78`	`"(?is).(pass(wd\|word\|code\|.?phrase)(?!.question)\|(auth(entication\|ori[sz]ation)?).?key\|oauth\|"`
`79`		`- + "api.?(key\|token)\|([_-]\|\\b)mfa([_-]\|\\b)).*"`
	`79`	`+ + "api.?(key\|tok)\|([_-]\|\\b)mfa([_-]\|\\b)).*"`
`80`	`80`	`}`
`81`	`81`
`82`	`82`	`/**`