hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from docs review

Browse Source 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
This commit is contained in:
Joe Farebrother
2022-11-15 16:57:48 +00:00
parent 7ae41ff165
commit 255123cbf9
2 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.qhelp
View File

@@ -4,21 +4,18 @@
<qhelp>
<overview>
<p>When a user enters information to a text input field on an Android application, then by default their input is saved to a keyboard cache,
which provides autocomplete suggestions and predictions. If the input field is expected to contain sensitive information, such as a password or banking details,
this sensitive data may be leaked to other applications via the keyboard cache.</p>
<p>When a user enters information in a text input field on an Android application, their input is saved to a keyboard cache which provides autocomplete suggestions and predictions. There is a risk that sensitive user data, such as passwords or banking information, may be leaked to other applications via the keyboard cache.</p>
</overview>
<recommendation>
<p>For input fields expected to accept sensitive information, an input type such as <code>"textNoSuggestions"</code> (or <code>"textPassword"</code> for a password)
should be used to ensure that the input does not get stored in the keyboard cache.</p>
<p>For input fields expected to accept sensitive information, use input types such as <code>"textNoSuggestions"</code> (or <code>"textPassword"</code> for a password) to ensure the input does not get stored in the keyboard cache.</p>
<p>The input type can also be set in code through <code>TextView.setInputType()</code> rather than declared through XML.</p>
</recommendation>
<example>
<p>In the following example, the field labeled BAD could allow the password to be saved to the keyboard cache;
whereas the field labeled GOOD uses the <code>"textPassword"</code> input type, which ensures that it is not.</p>
<p>In the following example, the field labeled BAD allows the password to be saved to the keyboard cache,
whereas the field labeled GOOD uses the <code>"textPassword"</code> input type to ensure the password is not cached.</p>
<sample src="Example.xml" />

2
java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Android sensitive keyboard cache
* @description Sensitive information should not be saved to the keyboard cache.
* @description Allowing the keyboard to cache sensitive information may result in information leaks to other applications.
* @kind problem
* @problem.severity warning
* @security-severity 8.1