hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Query for cleartext storage using Android SharedPreferences

Browse Source
This commit is contained in:
luchua-bc
2020-11-16 17:23:01 +00:00
parent 09cfb24afa
commit 0bd6255c41
13 changed files with 1120 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/test/experimental/query-tests/security/CWE-312/ClearTextStorageSharedPrefs.expected Normal file
View File

@@ -0,0 +1 @@
| ClearTextStorageSharedPrefs.java:16:3:16:17 | commit(...) | 'SharedPreferences' class $@ containing $@ is stored here. Data was added $@. | ClearTextStorageSharedPrefs.java:13:19:13:36 | edit(...) | edit(...) | ClearTextStorageSharedPrefs.java:15:32:15:39 | password | sensitive data | ClearTextStorageSharedPrefs.java:15:32:15:39 | password | here |

54
java/ql/test/experimental/query-tests/security/CWE-312/ClearTextStorageSharedPrefs.java Normal file
View File

@@ -0,0 +1,54 @@
import android.app.Activity;
import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import androidx.security.crypto.MasterKey;
import androidx.security.crypto.EncryptedSharedPreferences;
/** Android activity that tests saving sensitive information in `SharedPreferences` */
public class ClearTextStorageSharedPrefs extends Activity {
// BAD - save sensitive information in cleartext
public void testSetSharedPrefs1(Context context, String name, String password) {
SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
Editor editor = sharedPrefs.edit();
editor.putString("name", name);
editor.putString("password", password);
editor.commit();
}
// GOOD - save sensitive information in encrypted format
public void testSetSharedPrefs2(Context context, String name, String password) {
SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
Editor editor = sharedPrefs.edit();
editor.putString("name", encrypt(name));
editor.putString("password", encrypt(password));
editor.commit();
}
private static String encrypt(String cleartext) {
//Use an encryption or hashing algorithm in real world. The demo below just returns an arbitrary value.
String cipher = "whatever_encrypted";
return cipher;
}
// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx.
public void testSetSharedPrefs3(Context context, String name, String password) {
MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
.build();
SharedPreferences sharedPreferences = EncryptedSharedPreferences.create(
context,
"secret_shared_prefs",
masterKey,
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM);
// Use the shared preferences and editor as you normally would
SharedPreferences.Editor editor = sharedPreferences.edit();
editor.putString("name", name);
editor.putString("password", password);
editor.commit();
}
}

1
java/ql/test/experimental/query-tests/security/CWE-312/ClearTextStorageSharedPrefs.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-312/ClearTextStorageSharedPrefs.ql

1
java/ql/test/experimental/query-tests/security/CWE-312/options Normal file
View File

@@ -0,0 +1 @@
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0