Add documentation

joefarebrother · joefarebrother · commit 8d201626e1b7 · 2024-01-29T16:25:38.000Z
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextBad.java b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextBad.java
@@ -0,0 +1,2 @@
+TextView pwView = getViewById(R.id.pw_text);
+pwView.setText("Your password is: " + password);
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.qhelp b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.qhelp
@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Sensitive information such as passwords should not be displayed in UI components unless explicitly required, to mitigate shoulder-surfing attacks.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+    For editable text fields containing sensitive information, the <code>inputType</code> should be set to <code>textPassword</code> or similar to ensure it is properly masked.
+    Otherwise, sensitive data that is required to be displayed should be hidden by default, and only revealed based on an explicit user action.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+    In the following (bad) case, sensitive information <code>password</code> is exposed to the <code>TextView</code>.
+    </p>
+
+    <sample src="AndroidSensitiveTextBad.java"/>
+
+    <p>
+    In the following (good) case, the user must press a button to reveal sensitive information.
+    </p>
+
+    <sample src="AndroidSensitiveTextGood.java"/>
+  </example>
+
+  <references>
+    <li>
+      OWASP Mobile Application Security: <a href="https://mas.owasp.org/MASTG/Android/0x05d-Testing-Data-Storage/#ui-components">Android Data Storage - UI Components</a> 
+    </li>
+  </references>
+
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
@@ -1,8 +1,8 @@
 /**
- * @name Exposure of sensitive information to UI text fields.
+ * @name Exposure of sensitive information to UI text views.
  * @id java/android/sensitive-text
  * @kind path-problem
- * @description Sensitive information ... TODO
+ * @description Sensitive information displayed in UI text views should be properly masked.
  * @problem.severity warning
  * @precision medium
  * @security-severity 6.5
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextGood.java b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextGood.java
@@ -0,0 +1,10 @@
+TextView pwView = findViewById(R.id.pw_text);
+pwView.setVisibility(View.INVISIBLE);
+pwView.setText("Your password is: " + password);
+
+Button showButton = findViewById(R.id.show_pw_button);
+showButton.setOnClickListener(new View.OnClickListener() {
+    public void onClick(View v) {
+      pwView.setVisibility(View.VISIBLE);
+    }
+});

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+TextView pwView = getViewById(R.id.pw_text);`
	`2`	`+pwView.setText("Your password is: " + password);`