Create rule S7410: Keyboard cache should be disabled for password inputs (SONARKT-583) (#4724)

2025-03-17 13:51:06 +00:00 · 2025-03-17 13:51:06 +00:00 · 697e49fc2c
commit 697e49fc2c
parent 0884cdba3c
4 changed files with 111 additions and 0 deletions
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@ -158,3 +158,5 @@
 * Go Standard Library
 // Kubernetes
 * Helm
+// Kotlin
+Jetpack Compose
--- a/rules/S7410/kotlin/metadata.json
+++ b/rules/S7410/kotlin/metadata.json
@ -0,0 +1,34 @@
+{
+  "title": "Keyboard cache should be disabled for password inputs",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "android"
+  ],
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-7410",
+  "sqKey": "S7410",
+  "scope": "All",
+  "securityStandards": {
+    "OWASP Mobile Top 10 2024": [
+      "M8",
+      "M9"
+    ],
+    "CWE": [
+      524
+    ]
+  },
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "MEDIUM"
+    },
+    "attribute": "CONVENTIONAL"
+  }
+  
+}
--- a/rules/S7410/kotlin/rule.adoc
+++ b/rules/S7410/kotlin/rule.adoc
@ -0,0 +1,73 @@
+Mobile OSes use software keyboards that provide text predictions and suggestions. These keyboards cache text inputs in a local file in order to speed up typing and to recall frequent phrases. When users type sensitive data into a text field where keyboard cache is enabled, the data will be stored in clear-text in a local file. It will keep appearing in the keyboard suggestion list until the cache is cleared.
+
+== Why is this an issue?
+
+Keyboard caches are not designed to store sensitive information. Data they contain is not encrypted and can be exposed.
+In case a backup is performed, the cache file can be included in the backup, which will lead to the password being leakage.
+When device is shared, other user will see the password in the suggestion list.
+
+== How to fix it in Jetpack Compose
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,kotlin,diff-id=1,diff-type=noncompliant]
+----
+TextField(
+    value = text,
+    onValueChange = { text = it },
+    label = { Text("Password") },
+    visualTransformation = PasswordVisualTransformation(),
+    keyboardOptions = KeyboardOptions(keyboardType = KeyboardType.Text) // Noncompliant: keyboard cache is enabled
+)
+----
+
+==== Compliant solution
+
+[source,kotlin,diff-id=1,diff-type=compliant]
+----
+TextField(
+    value = text,
+    onValueChange = { text = it },
+    label = { Text("Password") },
+    visualTransformation = PasswordVisualTransformation(),
+    keyboardOptions = KeyboardOptions(keyboardType = KeyboardType.Password)
+)
+----
+
+
+== Resources
+
+=== Documentation
+
+=== Standards
+
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m8-security-misconfiguration[Mobile Top 10 2024 Category M8 - Security Misconfiguration]
+* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m9-insecure-data-storage[Mobile Top 10 2024 Category M9 - Insecure Data Storage]
+* CWE - https://cwe.mitre.org/data/definitions/524[CWE-524 - Use of Cache Containing Sensitive Information]
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+* If `keyboardOptions` is set
+** Set the `keyboardType` to `KeyboardType.Password` to disable the keyboard cache
+* If `keyboardOptions` is not set, 
+** Set `keyboardOptions` to disable the keyboard cache
+
+=== Highlighting
+
+* Main location
+** If `keyboardOptions` is set, highlight the `keyboardOptions` argument value
+** If `keyboardOptions` is not set, highlight the `TextField` or `OutlinedTextField` constructor
+* Secondary location 
+** Highlight the call to `PasswordVisualTransformation`
+
+
+endif::env-github,rspecator-view[]
--- a/rules/S7410/metadata.json
+++ b/rules/S7410/metadata.json
@ -0,0 +1,2 @@
+{
+}