Enhance the query and add more test cases

2026-04-28 10:15:14 +02:00 · 2020-11-25 04:33:26 +00:00
parent a311462791
commit a49160423b
5 changed files with 175 additions and 66 deletions
--- a/java/ql/test/query-tests/security/CWE-312/semmle/tests/ClearTextStorageSharedPrefs.expected
+++ b/java/ql/test/query-tests/security/CWE-312/semmle/tests/ClearTextStorageSharedPrefs.expected
@@ -1 +1 @@
-| ClearTextStorageSharedPrefs.java:16:3:16:17 | commit(...) | 'SharedPreferences' class $@ containing $@ is stored here. Data was added $@. | ClearTextStorageSharedPrefs.java:13:19:13:36 | edit(...) | edit(...) | ClearTextStorageSharedPrefs.java:15:32:15:39 | password | sensitive data | ClearTextStorageSharedPrefs.java:15:32:15:39 | password | here |
+| ClearTextStorageSharedPrefs.java:19:3:19:17 | commit(...) | 'SharedPreferences' class $@ containing $@ is stored here. Data was added $@. | ClearTextStorageSharedPrefs.java:16:19:16:36 | edit(...) | edit(...) | ClearTextStorageSharedPrefs.java:18:32:18:39 | password | sensitive data | ClearTextStorageSharedPrefs.java:18:32:18:39 | password | here |
--- a/java/ql/test/query-tests/security/CWE-312/semmle/tests/ClearTextStorageSharedPrefs.java
+++ b/java/ql/test/query-tests/security/CWE-312/semmle/tests/ClearTextStorageSharedPrefs.java
@@ -4,8 +4,11 @@ import android.content.SharedPreferences;
 import android.content.SharedPreferences.Editor;
 import androidx.security.crypto.MasterKey;
 import androidx.security.crypto.EncryptedSharedPreferences;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.security.MessageDigest;

-/** Android activity that tests saving sensitive information in `SharedPreferences`  */
+/* Android activity that tests saving sensitive information in `SharedPreferences` */
 public class ClearTextStorageSharedPrefs extends Activity {
 	// BAD - save sensitive information in cleartext
 	public void testSetSharedPrefs1(Context context, String name, String password) {
@@ -26,13 +29,27 @@ public class ClearTextStorageSharedPrefs extends Activity {
 	}

 	private static String encrypt(String cleartext) {
-		//Use an encryption or hashing algorithm in real world. The demo below just returns an arbitrary value.
-		String cipher = "whatever_encrypted";
-		return cipher;
+		// Use an encryption or hashing algorithm in real world. The demo below just returns its hash.
+		MessageDigest digest = MessageDigest.getInstance("SHA-256");
+		byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
+		String encoded = Base64.getEncoder().encodeToString(hash);
+		return encoded;
 	}

-	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx.
+	// GOOD - save sensitive information in encrypted format using separate variables
 	public void testSetSharedPrefs3(Context context, String name, String password) {
+		String encUsername = encrypt(name);
+		String encPassword = encrypt(password);
+		SharedPreferences sharedPrefs = context.getSharedPreferences("user_prefs", Context.MODE_PRIVATE);
+		Editor editor = sharedPrefs.edit();
+		editor.putString("name", encUsername);
+		editor.putString("password", encPassword);
+		editor.commit();
+	}
+
+
+	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
+	public void testSetSharedPrefs4(Context context, String name, String password) {
 		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
 			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
 			.build();
@@ -50,4 +67,43 @@ public class ClearTextStorageSharedPrefs extends Activity {
 		editor.putString("password", password);
 		editor.commit();
 	}
+
+	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
+	public void testSetSharedPrefs5(Context context, String name, String password) {
+		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
+			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+			.build();
+
+		SharedPreferences.Editor editor = EncryptedSharedPreferences.create(
+				context,
+				"secret_shared_prefs",
+				masterKey,
+				EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
+				EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM)
+			.edit();
+
+		// Use the shared preferences and editor as you normally would
+		editor.putString("name", name);
+		editor.putString("password", password);
+		editor.commit();
+	}
+
+	// GOOD - save sensitive information using the built-in `EncryptedSharedPreferences` class in androidx
+	public void testSetSharedPrefs6(Context context, String name, String password) {
+		MasterKey masterKey = new MasterKey.Builder(context, MasterKey.DEFAULT_MASTER_KEY_ALIAS)
+			.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+			.build();
+
+		SharedPreferences.Editor editor = EncryptedSharedPreferences.create(
+				context,
+				"secret_shared_prefs",
+				masterKey,
+				EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
+				EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM)
+			.edit()
+			.putString("name", name)  // Use the shared preferences and editor as you normally would
+			.putString("password", password);
+			
+		editor.commit();
+	}
 }