• State Suggested Answer
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 181 subscribers
  • Views 668 views
  • Users 0 members are here
Options
Related

Qualitivity code

Susanna Fiorini

Hello,

In order to install Qualitivity on our organization's computers, the IT team raised the following questions.

Would you be able to provide an answer please?

Thank you in advance!

Best regards,

Susanna

Question 1: The class « Viewer », in the library « Sdl.Community.Qualitivity.Hooks.dll », intercepts operating system processes like keyboard activity. It seems, this capture is not limited to the plugin and, therefore, the plugin could capture users bank account credentials for example. Why do you capture users’ activity? And what are the risks if this library is used as a reference in another project (by a hacker for example…)

Question 2: The class « Query », in the library « Sdl.Community.Qualitivity.TM.dll », contains SQL injection risks in the following functions: getProjects() getActivities() VerifyDocumentActivityRecordsSupportLevel(). These three functions perform string concatenations without using SQL Parameters. Can you check and correct code?
emoji
Rate translation
×
Suggest better translation
×
Parents
  • 0

     

    Susanna Fiorini said:
    Question 1: The class « Viewer », in the library « Sdl.Community.Qualitivity.Hooks.dll », intercepts operating system processes like keyboard activity. It seems, this capture is not limited to the plugin and, therefore, the plugin could capture users bank account credentials for example. Why do you capture users’ activity? And what are the risks if this library is used as a reference in another project (by a hacker for example…)

    Is this a question or a statement?  The app was designed to only capture keystrokes while using Trados Studio so if you have evidence to the contrary please explain so we can investigate this.

    Susanna Fiorini said:
    Question 2: The class « Query », in the library « Sdl.Community.Qualitivity.TM.dll », contains SQL injection risks in the following functions: getProjects() getActivities() VerifyDocumentActivityRecordsSupportLevel(). These three functions perform string concatenations without using SQL Parameters. Can you check and correct code?

    I'm not sure why this would even be a problem given this is a single user desktop solution, but perhaps  can offer some advice here.

    Paul Filkin | RWS Group

    ________________________
    Design your own training!
    You've done the courses and still need to go a little further, or still not clear? 
    Tell us what you need in our Community Solutions Hub

    emoji
  • 0 in reply to Paul

    Thanks Paul!

    As for the first question, I'll forward it to our IT team.

    As for the second, I'm not an IT expert, but could this question be linked to the fact that our computers work and rely on the organization network? 

    Thanks again!

    Susanna
    emoji
  • 0 in reply to Susanna Fiorini

    Hi ,
    This plugin is quite old and might not adhere to best coding practices, but I can confirm that the scope of the keystroke monitoring is limited to the Studio Application.  The handler from Qualitivity itself is only recording keystrokes that come from the editor, so It’s quite limited.

    Regarding the SQL injection risks that you highlighted, given the current state of the project code.  This could be possible in theory and ideally, that code should be parameterize as you indicated, but the scope for such an attack in this case would be limited to the database created locally for managing the data with Qualitivity, which would also require a developer to manipulate the code implementation of Qualitivity to enable this.

    The Qualitivity project is open source and we encourage developers to get involved and contribute to improving the code where it makes sense.  In doing so going beyond the strategic focus & capacity of our internal teams.
    emoji
Reply
  • 0 in reply to Susanna Fiorini

    Hi ,
    This plugin is quite old and might not adhere to best coding practices, but I can confirm that the scope of the keystroke monitoring is limited to the Studio Application.  The handler from Qualitivity itself is only recording keystrokes that come from the editor, so It’s quite limited.

    Regarding the SQL injection risks that you highlighted, given the current state of the project code.  This could be possible in theory and ideally, that code should be parameterize as you indicated, but the scope for such an attack in this case would be limited to the database created locally for managing the data with Qualitivity, which would also require a developer to manipulate the code implementation of Qualitivity to enable this.

    The Qualitivity project is open source and we encourage developers to get involved and contribute to improving the code where it makes sense.  In doing so going beyond the strategic focus & capacity of our internal teams.
    emoji
Children