Skip to content

DART-259 Modify rule S6291: Add Dart language #4990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

DART-259 Modify rule S6291: Add Dart language #4990

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions rules/S6291/common/recommended-java-kotlin.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
The encryption password should not be hard-coded in the application. There are different approaches how the password can be provided to encrypt and decrypt the database. In the case of `EncryptedSharedPreferences` the Android Keystore can be used to store the password. Other databases can rely on `EncryptedSharedPreferences` to store passwords. The password can also be provided dynamically by the user of the application or it can be fetched from a remote server if the other methods are not feasible.
3 changes: 3 additions & 0 deletions rules/S6291/dart/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{

}
62 changes: 62 additions & 0 deletions rules/S6291/dart/rule.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
:example_libraries: sqflite and sqflite_sqlcipher

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

The encryption password should not be hard-coded in the application. There are different approaches how the password can be provided to encrypt and decrypt the database, such as using https://pub.dev/packages/flutter_secure_storage[`flutter_secure_storage`]. The password can also be provided dynamically by the user of the application or it can be fetched from a remote server if the other methods are not feasible.

== Sensitive Code Example

For the https://pub.dev/packages/sqflite[`sqflite` package]:

[source,dart]
----
import 'package:sqflite/sqflite.dart';

void openDb() async {
final db = await openDatabase("test.db"); // Noncompliant: no password support
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
final db = await openDatabase("test.db"); // Noncompliant: no password support
final db = await openDatabase("test.db"); // Sensitive - no password support

await db.execute("CREATE TABLE Test (id INTEGER PRIMARY KEY, name TEXT)");
}
----

For the https://pub.dev/packages/sqflite_sqlcipher[`sqflite_sqlcipher` package]:

[source,dart]
----
import 'package:sqflite_sqlcipher/sqflite.dart';

void openDb() async {
final db = await openDatabase("test.db"); // Noncompliant: missing password
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
final db = await openDatabase("test.db"); // Noncompliant: missing password
final db = await openDatabase("test.db"); // Sensitive - missing password

await db.execute("CREATE TABLE Test (id INTEGER PRIMARY KEY, name TEXT)");
}
----

== Compliant Solution

Instead of the `openDatabase` function of the `sqflite` package, you can use the equivalent function in the https://pub.dev/packages/sqflite_sqlcipher[`sqflite_sqlcipher` package], that comes with a `password` parameter to encrypt the database:

[source,dart]
----
import 'package:sqflite_sqlcipher/sqflite.dart';

void openDb() async {
final db = await openDatabase("test.db", password: "password"); // Compliant
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
final db = await openDatabase("test.db", password: "password"); // Compliant
final db = await openDatabase("test.db", password: "password");

await db.execute("CREATE TABLE Test (id INTEGER PRIMARY KEY, name TEXT)");
}
----

include::../see.adoc[]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
4 changes: 3 additions & 1 deletion rules/S6291/description.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
Storing data locally is a common task for mobile applications. Such data includes preferences or authentication tokens for external services, among other things. There are many convenient solutions that allow storing data persistently, for example SQLiteDatabase, SharedPreferences, and Realm. By default these systems store the data unencrypted, thus an attacker with physical access to the device can read them out easily. Access to sensitive data can be harmful for the user of the application, for example when the device gets stolen.
Storing data locally is a common task for mobile applications. Such data includes preferences or authentication tokens for external services, among other things. There are many convenient solutions that allow storing data persistently, for example {example_libraries}.

By default these systems store the data unencrypted, thus an attacker with physical access to the device can read them out easily. Access to sensitive data can be harmful for the user of the application, for example when the device gets stolen.
4 changes: 4 additions & 0 deletions rules/S6291/java/rule.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
:example_libraries: SQLiteDatabase, SharedPreferences, and Realm

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

include::../common/recommended-java-kotlin.adoc[]

== Sensitive Code Example

For https://developer.android.com/reference/kotlin/android/database/sqlite/SQLiteDatabase[SQLiteDatabase]:
Expand Down
4 changes: 4 additions & 0 deletions rules/S6291/kotlin/rule.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
:example_libraries: SQLiteDatabase, SharedPreferences, and Realm

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

include::../common/recommended-java-kotlin.adoc[]

== Sensitive Code Example

For https://developer.android.com/reference/kotlin/android/database/sqlite/SQLiteDatabase[SQLiteDatabase]:
Expand Down
2 changes: 0 additions & 2 deletions rules/S6291/recommended.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
== Recommended Secure Coding Practices

It's recommended to password-encrypt local databases that contain sensitive information. Most systems provide secure alternatives to plain-text storage that should be used. If no secure alternative is available the data can also be encrypted manually before it is stored.

The encryption password should not be hard-coded in the application. There are different approaches how the password can be provided to encrypt and decrypt the database. In the case of `EncryptedSharedPreferences` the Android Keystore can be used to store the password. Other databases can rely on `EncryptedSharedPreferences` to store passwords. The password can also be provided dynamically by the user of the application or it can be fetched from a remote server if the other methods are not feasible.