search

storesafe / cordova-sqlcipher-adapter

A Cordova/PhoneGap plugin to create and access encrypted databases on Android, iOS, and Windows with API similar to HTML5/Web SQL API
Other
89 stars 55 forks source link

database password logged when SQL error occur #90

Closed Wingzzzzz closed 4 years ago

Wingzzzzz commented 4 years ago

iOS 12.4 cordova-sqlcipher-adapter 0.4.1

As function of Cordova-sqlite-storage, when SQL error occurs, it logs database open args like:

2019-10-16 18:58:01.136887+0800 MyApp[18299:2294348] ERROR: execute sql with error : { db: 
   { openargs: 
      { name: 'app.db',
        key: 'password1',
        location: 'default',
        dblocation: 'nosync' },
     dbname: 'app.db',
     openSuccess: [Function],
     openError: [Function] },
  fn: [Function],
  error: [Function],
  success: undefined,
  txlock: true,
  readOnly: false,
  executes: [] }

The problem comes to cordova-sqlcipher-adapter is that the password is exposed whenever other get connected to the device to check device log.

brodycj commented 4 years ago

Thanks, please accept my apologies for the extra-long delay. Definitely a security issue!

Wingzzzzz commented 4 years ago

no problem, appreciate your effort on the project

brodycj commented 4 years ago

This kind of error log is not in the JavaScript code on this plugin. I think we can close this one.

Wingzzzzz commented 4 years ago

have not looked into the logging related code. but can i say this: options printed are not expected to have sensitive information

brodycj commented 4 years ago

As I tried to explain before that log message is not part of this plugin. A https://stackoverflow.com/help/minimal-reproducible-example is needed to demonstrate your issue. Closing as invalid.