Add sensitive keyboard cache query

joefarebrother · joefarebrother · commit 85fe22625682 · 2022-11-16T10:54:13.000Z
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll
@@ -0,0 +1,50 @@
+/** Definitions for the keyboard cache query */
+
+import java
+import semmle.code.xml.XML
+import semmle.code.java.security.SensitiveActions
+
+/** An Android Layout XML file. */
+class AndroidLayoutXmlFile extends XmlFile {
+  AndroidLayoutXmlFile() { this.getAbsolutePath().matches("%/res/layout/%.xml") }
+}
+
+/** An XML element that represents an editable text field. */
+class AndroidEditableXmlElement extends XmlElement {
+  XmlAttribute inputType;
+  XmlAttribute id;
+
+  AndroidEditableXmlElement() {
+    this.getFile() instanceof AndroidLayoutXmlFile and
+    inputType = this.getAnAttribute() and
+    inputType.getNamespace().getPrefix() = "android" and
+    inputType.getName() = "inputType" and
+    id = this.getAnAttribute() and
+    id.getNamespace().getPrefix() = "android" and
+    id.getName() = "id"
+  }
+
+  /** Gets the input type of this field. */
+  string getInputType() { result = inputType.getValue() }
+
+  /** Gets the ID of this field. */
+  string getId() { result = id.getValue() }
+}
+
+/** Gets a regex inidcating that an input field may contain sensitive data. */
+private string getInputSensitiveInfoRegex() {
+  result = [getCommonSensitiveInfoRegex(), "(?i).*(bank|credit|debit|security).*"]
+}
+
+/** Holds if input using the given input type may be stored in the keyboard cache. */
+bindingset[ty]
+private predicate inputTypeCached(string ty) {
+  ty.matches("%text%") and
+  not ty.regexpMatch("(?i).*(nosuggestions|password).*")
+}
+
+/** Gets an input field whose contents may be sensitive and may be stored in the keyboard cache. */
+AndroidEditableXmlElement getASensitiveCachedInput() {
+  result.getId().regexpMatch(getInputSensitiveInfoRegex()) and
+  inputTypeCached(result.getInputType())
+}
diff --git a/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.qhelp b/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.qhelp
diff --git a/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.ql b/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Android sensetive keyboard cache
+ * @description Sensitive information should not be saved to the keyboard cache.
+ * @kind problem
+ * @problem.severity warning
+ * @id java/android/debuggable-attribute-enabled
+ * @tags security
+ *       external/cwe/cwe-489
+ * @precision high
+ */
+
+import java
+import semmle.code.java.security.SensitiveKeyboardCacheQuery
+
+from AndroidEditableXmlElement el
+where el = getASensitiveCachedInput()
+select el, "This input field may contain sensitive information that is saved to the keyboard cache."
