Add tests and fix issues

2025-12-24 20:56:33 +01:00 · 2022-10-31 16:08:28 +00:00
parent 10a3b3bd14
commit dd4e1d0ac3
6 changed files with 49 additions and 5 deletions
--- a/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll
@@ -46,13 +46,23 @@ class AndroidEditableXmlElement extends AndroidLayoutXmlElement {
  string getInputType() { result = this.getAttribute("inputType").(AndroidXmlAttribute).getValue() }
 }

+/** A `findViewById` or `requireViewById` method on `Activity` or `View`. */
+private class FindViewMethod extends Method {
+  FindViewMethod() {
+    hasQualifiedName("android.view", "View", ["findViewById", "requireViewById"])
+    or
+    exists(Method m |
+      m.hasQualifiedName("android.app", "Activity", ["findViewById", "requireViewById"]) and
+      this = m.getAnOverride*()
+    )
+  }
+}
+
 /** Gets a use of the view that has the given id. */
 private Expr getAUseOfId(string id) {
  exists(string name, MethodAccess findView, NestedClass r_id, Field id_field |
    id = "@+id/" + name and
-    findView
-        .getMethod()
-        .hasQualifiedName("android.view", "View", ["findViewById", "requireViewById"]) and
+    findView.getMethod() instanceof FindViewMethod and
    r_id.getEnclosingType().hasName("R") and
    r_id.hasName("id") and
    id_field.getDeclaringType() = r_id and
--- a/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.qhelp
+++ b/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.qhelp
@@ -13,7 +13,7 @@ this sensitive data may be leaked to other applications via the keyboard cache.<

 <p>For input fields expected to accept sensitive information, an input type such as <code>"textNoSuggestions"</code> (or <code>"textPassword"</code> for a password) 
 should be used to ensure that the input does not get stored in the keyboard cache.</p>
-
+<p>The input type can also be set in code through <code>TextView.setInputType()</code> rather than declared through XML.</p>
 </recommendation>
 <example>

--- a/java/ql/test/query-tests/security/CWE-524/R.java
+++ b/java/ql/test/query-tests/security/CWE-524/R.java
@@ -0,0 +1,8 @@
+package com.example.test;
+
+public final class R {
+    public static final class id {
+        public static final int test7_password = 1;
+        public static final int test8_password = 2;
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-524/Test.java
+++ b/java/ql/test/query-tests/security/CWE-524/Test.java
@@ -1,3 +1,16 @@
+package com.example.test;
+import android.app.Activity;
+import android.os.Bundle;
 import android.widget.EditText;
+import android.view.View;
+import android.text.InputType;

-class Test {}
+class Test extends Activity {
+    public void onCreate(Bundle b) {
+        EditText test7pw = findViewById(R.id.test7_password);
+        test7pw.setInputType(InputType.TYPE_CLASS_TEXT | InputType.TYPE_TEXT_FLAG_NO_SUGGESTIONS);
+
+        EditText test8pw = requireViewById(R.id.test8_password);
+        test8pw.setInputType(InputType.TYPE_CLASS_TEXT | InputType.TYPE_TEXT_VARIATION_PASSWORD);
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-524/res/layout/Test.xml
+++ b/java/ql/test/query-tests/security/CWE-524/res/layout/Test.xml
@@ -23,4 +23,13 @@
    <!-- $hasResult --> <EditText
        android:id="@+id/test5_bank_account_name"
        android:inputType="textMultiLine"/>  
+
+    <!-- $hasResult --> <EditText
+        android:id="@+id/test6_password"/>  
+
+    <EditText
+        android:id="@+id/test7_password"/>  
+
+    <EditText
+        android:id="@+id/test8_password"/>  
 </LinearLayout>
--- a/java/ql/test/stubs/google-android-9.0.0/android/app/Activity.java
+++ b/java/ql/test/stubs/google-android-9.0.0/android/app/Activity.java
@@ -488,4 +488,8 @@ public class Activity extends ContextWrapper {
    public <T extends View> T findViewById(int id) {
        return null;
    }
+
+    public <T extends View> T requireViewById(int id) {
+        return null;
+    }
 }