Implement checks for elements hidden by their xml attributes

2026-04-24 16:25:15 +02:00 · 2024-01-24 13:31:06 +00:00
parent 6081f18089
commit aa78050933
5 changed files with 82 additions and 9 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/android/Layout.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/android/Layout.qll
@@ -11,15 +11,10 @@ class AndroidLayoutXmlFile extends XmlFile {

 /** A component declared in an Android layout file. */
 class AndroidLayoutXmlElement extends XmlElement {
-  AndroidXmlAttribute id;
+  AndroidLayoutXmlElement() { this.getFile() instanceof AndroidLayoutXmlFile }

-  AndroidLayoutXmlElement() {
-    this.getFile() instanceof AndroidLayoutXmlFile and
-    id = this.getAttribute("id")
-  }
-
-  /** Gets the ID of this component. */
-  string getId() { result = id.getValue() }
+  /** Gets the ID of this component, if any. */
+  string getId() { result = this.getAttribute("id").getValue() }

  /** Gets the class of this component. */
  Class getClass() {
--- a/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll
@@ -73,6 +73,14 @@ private module TextFieldTrackingConfig implements DataFlow::ConfigSig {
 /** Holds if the given may be masked. */
 private predicate viewIsMasked(AndroidLayoutXmlElement view) {
  DataFlow::localExprFlow(getAUseOfViewWithId(view.getId()), any(MaskCall mcall).getQualifier())
+  or
+  view.getAttribute("inputType")
+      .(AndroidXmlAttribute)
+      .getValue()
+      .regexpMatch("(?i).*(text|number)(web)?password.*")
+  or
+  view.getAttribute("visibility").(AndroidXmlAttribute).getValue().toLowerCase() =
+    ["invisible", "gone"]
 }

 /** Holds if the qualifier of `call` is also called with a method that may mask the information displayed. */