codeql/java/ql/test/query-tests/security/CWE-312/CleartextStorageAndroidDatabaseTest.java

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Base64;
import android.app.Activity;
import android.content.ContentValues;
import android.content.Context;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteStatement;

public class CleartextStorageAndroidDatabaseTest extends Activity {

    public void testCleartextStorageAndroiDatabaseSafe1(Context ctx, String name, String password) {
        SQLiteDatabase db = ctx.openOrCreateDatabase("test", Context.MODE_PRIVATE, null);
        db.execSQL("CREATE TABLE IF NOT EXISTS users(user VARCHAR, password VARCHAR);"); // Safe
    }

    public void testCleartextStorageAndroiDatabaseSafe2(Context ctx, String name, String password) {
        SQLiteDatabase db = ctx.openOrCreateDatabase("test", Context.MODE_PRIVATE, null);
        db.execSQL("DROP TABLE passwords;"); // Safe - no sensitive value being stored
    }

    public void testCleartextStorageAndroiDatabase0(Context ctx, String name, String password) {
        SQLiteDatabase db = ctx.openOrCreateDatabase("test", Context.MODE_PRIVATE, null);
        String query = "INSERT INTO users VALUES ('" + name + "', '" + password + "');";
        db.execSQL(query); // $ hasCleartextStorageAndroidDatabase
    }

    public void testCleartextStorageAndroiDatabase1(Context ctx, String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        String query = "INSERT INTO users VALUES ('" + name + "', '" + password + "');";
        db.execSQL(query); // $ hasCleartextStorageAndroidDatabase
    }

    public void testCleartextStorageAndroiDatabase2(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openOrCreateDatabase("", null);
        String query = "INSERT INTO users VALUES (?, ?)";
        db.execSQL(query, new String[] {name, password}); // $ hasCleartextStorageAndroidDatabase
    }

    //@formatter:off
    public void testCleartextStorageAndroiDatabase3(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.create(null);
        String query = "INSERT INTO users VALUES (?, ?)";
        db.execPerConnectionSQL(query, new String[] {name, password}); // $ hasCleartextStorageAndroidDatabase
    }
    //@formatter:on

    public void testCleartextStorageAndroiDatabaseSafe3(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        ContentValues cv = new ContentValues();
        cv.put("username", name);
        cv.put("password", password); // Safe - ContentValues aren't added to any database
    }

    public void testCleartextStorageAndroiDatabase4(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        ContentValues cv = new ContentValues();
        cv.put("username", name);
        cv.put("password", password); // $ hasCleartextStorageAndroidDatabase
        db.insert("table", null, cv);
    }

    public void testCleartextStorageAndroiDatabase5(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        ContentValues cv = new ContentValues();
        cv.put("username", name);
        cv.put("password", password); // $ hasCleartextStorageAndroidDatabase
        db.insertOrThrow("table", null, cv);
    }

    public void testCleartextStorageAndroiDatabase6(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        ContentValues cv = new ContentValues();
        cv.put("username", name);
        cv.put("password", password); // $ hasCleartextStorageAndroidDatabase
        db.insertWithOnConflict("table", null, cv, 0);
    }

    public void testCleartextStorageAndroiDatabase7(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        ContentValues cv = new ContentValues();
        cv.put("username", name);
        cv.put("password", password); // $ hasCleartextStorageAndroidDatabase
        db.replace("table", null, cv);
    }

    public void testCleartextStorageAndroiDatabase8(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        ContentValues cv = new ContentValues();
        cv.put("username", name);
        cv.put("password", password); // $ hasCleartextStorageAndroidDatabase
        db.replaceOrThrow("table", null, cv);
    }

    public void testCleartextStorageAndroiDatabase9(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        ContentValues cv = new ContentValues();
        cv.put("username", name);
        cv.put("password", password); // $ hasCleartextStorageAndroidDatabase
        db.update("table", cv, "", new String[] {});
    }

    public void testCleartextStorageAndroiDatabase10(String name, String password) {
        SQLiteDatabase db = SQLiteDatabase.openDatabase("", null, 0);
        ContentValues cv = new ContentValues();
        cv.put("username", name);
        cv.put("password", password); // $ hasCleartextStorageAndroidDatabase
        db.updateWithOnConflict("table", cv, "", new String[] {}, 0);
    }

    public void testCleartextStorageAndroiDatabaseSafe4(SQLiteDatabase db, String name,
            String password) {
        String query = "INSERT INTO users VALUES ('" + name + "', '" + password + "');";
        SQLiteStatement stmt = db.compileStatement(query); // Safe - statement isn't executed
    }

    public void testCleartextStorageAndroiDatabase11(SQLiteDatabase db, String name,
            String password) {
        String query = "INSERT INTO users VALUES ('" + name + "', '" + password + "');";
        SQLiteStatement stmt = db.compileStatement(query); // $ hasCleartextStorageAndroidDatabase
        stmt.executeUpdateDelete();
    }

    public void testCleartextStorageAndroiDatabase12(SQLiteDatabase db, String name,
            String password) {
        String query = "INSERT INTO users VALUES ('" + name + "', '" + password + "');";
        SQLiteStatement stmt = db.compileStatement(query); // $ hasCleartextStorageAndroidDatabase
        stmt.executeInsert();
    }

    public void testCleartextStorageAndroiDatabaseSafe5(String name, String password)
            throws Exception {
        SQLiteDatabase db = SQLiteDatabase.create(null);
        String query = "INSERT INTO users VALUES (?, ?)";
        db.execSQL(query, new String[] {name, encrypt(password)}); // Safe
    }

    private static String encrypt(String cleartext) throws Exception {
        MessageDigest digest = MessageDigest.getInstance("SHA-256");
        byte[] hash = digest.digest(cleartext.getBytes(StandardCharsets.UTF_8));
        String encoded = Base64.getEncoder().encodeToString(hash);
        return encoded;
    }
}