Susanna Fiorini 

Susanna Fiorini said:

Question 1: The class « Viewer », in the library « Sdl.Community.Qualitivity.Hooks.dll », intercepts operating system processes like keyboard activity. It seems, this capture is not limited to the plugin and, therefore, the plugin could capture users bank account credentials for example. Why do you capture users’ activity? And what are the risks if this library is used as a reference in another project (by a hacker for example…)

Is this a question or a statement?  The app was designed to only capture keystrokes while using Trados Studio so if you have evidence to the contrary please explain so we can investigate this.

Susanna Fiorini said:

Question 2: The class « Query », in the library « Sdl.Community.Qualitivity.TM.dll », contains SQL injection risks in the following functions: getProjects() getActivities() VerifyDocumentActivityRecordsSupportLevel(). These three functions perform string concatenations without using SQL Parameters. Can you check and correct code?

I'm not sure why this would even be a problem given this is a single user desktop solution, but perhaps Patrick Andrew Hartnett can offer some advice here.

Susanna Fiorini 

Susanna Fiorini said:

Question 1: The class « Viewer », in the library « Sdl.Community.Qualitivity.Hooks.dll », intercepts operating system processes like keyboard activity. It seems, this capture is not limited to the plugin and, therefore, the plugin could capture users bank account credentials for example. Why do you capture users’ activity? And what are the risks if this library is used as a reference in another project (by a hacker for example…)

Is this a question or a statement?  The app was designed to only capture keystrokes while using Trados Studio so if you have evidence to the contrary please explain so we can investigate this.

Susanna Fiorini said:

Question 2: The class « Query », in the library « Sdl.Community.Qualitivity.TM.dll », contains SQL injection risks in the following functions: getProjects() getActivities() VerifyDocumentActivityRecordsSupportLevel(). These three functions perform string concatenations without using SQL Parameters. Can you check and correct code?

I'm not sure why this would even be a problem given this is a single user desktop solution, but perhaps Patrick Andrew Hartnett can offer some advice here.

Thanks Paul!

As for the first question, I'll forward it to our IT team.

As for the second, I'm not an IT expert, but could this question be linked to the fact that our computers work and rely on the organization network? 

Thanks again!

Susanna

Hi Susanna Fiorini ,
This plugin is quite old and might not adhere to best coding practices, but I can confirm that the scope of the keystroke monitoring is limited to the Studio Application.  The handler from Qualitivity itself is only recording keystrokes that come from the editor, so It’s quite limited.

Regarding the SQL injection risks that you highlighted, given the current state of the project code.  This could be possible in theory and ideally, that code should be parameterize as you indicated, but the scope for such an attack in this case would be limited to the database created locally for managing the data with Qualitivity, which would also require a developer to manipulate the code implementation of Qualitivity to enable this.

The Qualitivity project is open source and we encourage developers to get involved and contribute to improving the code where it makes sense.  In doing so going beyond the strategic focus & capacity of our internal teams.

Thanks a lot Patrick Andrew Hartnett for these explanations! I will forward them to the IT team.

Susanna