hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 15:05:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add documentation

Browse Source
This commit is contained in:
Joe Farebrother
2024-01-24 14:10:28 +00:00
parent aa78050933
commit 8d201626e1
4 changed files with 52 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextBad.java Normal file
View File

@@ -0,0 +1,2 @@
TextView pwView = getViewById(R.id.pw_text);
pwView.setText("Your password is: " + password);

38
java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.qhelp Normal file
View File

@@ -0,0 +1,38 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Sensitive information such as passwords should not be displayed in UI components unless explicitly required, to mitigate shoulder-surfing attacks.
</p>
</overview>
<recommendation>
<p>
For editable text fields containing sensitive information, the <code>inputType</code> should be set to <code>textPassword</code> or similar to ensure it is properly masked.
Otherwise, sensitive data that is required to be displayed should be hidden by default, and only revealed based on an explicit user action.
</p>
</recommendation>
<example>
<p>
In the following (bad) case, sensitive information <code>password</code> is exposed to the <code>TextView</code>.
</p>
<sample src="AndroidSensitiveTextBad.java"/>
<p>
In the following (good) case, the user must press a button to reveal sensitive information.
</p>
<sample src="AndroidSensitiveTextGood.java"/>
</example>
<references>
<li>
OWASP Mobile Application Security: <a href="https://mas.owasp.org/MASTG/Android/0x05d-Testing-Data-Storage/#ui-components">Android Data Storage - UI Components</a>
</li>
</references>
</qhelp>

4
java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
View File

@@ -1,8 +1,8 @@
/**
* @name Exposure of sensitive information to UI text fields.
* @name Exposure of sensitive information to UI text views.
* @id java/android/sensitive-text
* @kind path-problem
* @description Sensitive information ... TODO
* @description Sensitive information displayed in UI text views should be properly masked.
* @problem.severity warning
* @precision medium
* @security-severity 6.5

10
java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextGood.java Normal file
View File

@@ -0,0 +1,10 @@
TextView pwView = findViewById(R.id.pw_text);
pwView.setVisibility(View.INVISIBLE);
pwView.setText("Your password is: " + password);
Button showButton = findViewById(R.id.show_pw_button);
showButton.setOnClickListener(new View.OnClickListener() {
public void onClick(View v) {
pwView.setVisibility(View.VISIBLE);
}
});