1
0
mirror of https://github.com/avinal/nikki.git synced 2026-07-03 21:40:09 +05:30

Fix 5 security issues flagged in review

1. Filter injection: escape quotes/backslashes in search query
   before interpolating into API filter parameter

2. Backup data leak: configure backup_rules.xml and
   data_extraction_rules.xml to exclude sharedprefs, database,
   and datastore files from cloud backup and device transfer

3. Cleartext traffic: add network_security_config.xml with
   cleartextTrafficPermitted=false, referenced from manifest

4. Debug logging: remove all Log.d() calls from
   TaskCheckWorker, DirectAlarmScheduler, TaskReminderReceiver
   that logged task content and scheduling details

5. Token obfuscation: XOR + Base64 obfuscation for credentials
   stored in DataStore. Prefixed with "OBF:" for seamless
   migration of existing plaintext values on next login.
   Not cryptographic — prevents casual file inspection.

Signed-off-by: Avinal Kumar <avinal.xlvii@gmail.com>
Co-Authored-By: Claude Opus 4.6 (1M context)
This commit is contained in:
2026-05-22 17:35:37 +05:30
parent 44b00736db
commit b8d4f52e22
9 changed files with 45 additions and 44 deletions
+1
View File
@@ -12,6 +12,7 @@
<application
android:allowBackup="true"
android:networkSecurityConfig="@xml/network_security_config"
android:dataExtractionRules="@xml/data_extraction_rules"
android:fullBackupContent="@xml/backup_rules"
android:icon="@mipmap/ic_launcher"
@@ -7,13 +7,10 @@ import com.avinal.memos.notifications.TaskNotificationManager
class TaskReminderReceiver : BroadcastReceiver() {
override fun onReceive(context: Context, intent: Intent) {
android.util.Log.d("TaskReminderReceiver", "onReceive fired!")
val taskText = intent.getStringExtra("task_text") ?: "Task reminder"
val dueLabel = intent.getStringExtra("due_label") ?: "due"
val notificationId = intent.getIntExtra("notification_id", 0)
val priority = intent.getIntExtra("priority", 0)
android.util.Log.d("TaskReminderReceiver", "Showing: $taskText - $dueLabel (p=$priority, id=$notificationId)")
TaskNotificationManager.createChannels(context)
TaskNotificationManager.showTaskNotification(
context = context,
+5 -12
View File
@@ -1,13 +1,6 @@
<?xml version="1.0" encoding="utf-8"?><!--
Sample backup rules file; uncomment and customize as necessary.
See https://developer.android.com/guide/topics/data/autobackup
for details.
Note: This file is ignored for devices older than API 31
See https://developer.android.com/about/versions/12/backup-restore
-->
<?xml version="1.0" encoding="utf-8"?>
<full-backup-content>
<!--
<include domain="sharedpref" path="."/>
<exclude domain="sharedpref" path="device.xml"/>
-->
</full-backup-content>
<exclude domain="sharedpref" path="." />
<exclude domain="database" path="." />
<exclude domain="file" path="datastore/" />
</full-backup-content>
@@ -1,19 +1,13 @@
<?xml version="1.0" encoding="utf-8"?><!--
Sample data extraction rules file; uncomment and customize as necessary.
See https://developer.android.com/about/versions/12/backup-restore#xml-changes
for details.
-->
<?xml version="1.0" encoding="utf-8"?>
<data-extraction-rules>
<cloud-backup>
<!-- TODO: Use <include> and <exclude> to control what is backed up.
<include .../>
<exclude .../>
-->
<exclude domain="sharedpref" path="." />
<exclude domain="database" path="." />
<exclude domain="file" path="datastore/" />
</cloud-backup>
<!--
<device-transfer>
<include .../>
<exclude .../>
<exclude domain="sharedpref" path="." />
<exclude domain="database" path="." />
<exclude domain="file" path="datastore/" />
</device-transfer>
-->
</data-extraction-rules>
</data-extraction-rules>
@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="false" />
</network-security-config>