Thursday, December 5, 2019

#1 2019-11-21 05:19:47 pm

andrewbluepiano
Member
Registered: 2019-11-20
Posts: 10
Website

Safety of sharing my open source app if it works with password

Odd question. I know Property fields have different behaviors relating to retaining their values depending on if compiled or not. I am building an Cocoa GUI to control my AppleScript. I have posted the project and some builds on GitHub (hidden now). I don't think this is the case, but is there any possibility that my Administrator password could have been retained in either the .xcodeproj or in the compiled .app of my program?

I have a two relevant properties in my AppleScript:
property shellPassword : missing value
property shellPasswordField : missing value

shellPasswordField is the Referencing Outlet Delegate for a Secure Password Field Cell. It is not bound to the value of either property though, which I think would be the only reason I would need to worry.

Then the password is checked by this function:

on checkPasswd:sender
        set shellPassword to shellPasswordField's stringValue() as text
        try
            do shell script "sudo -K"
            do shell script "/bin/echo" password shellPassword with administrator privileges
            display notification "Auth Success"
            delay 1
            return 1
        on error errMsg number errorNumber
            display dialog "Debugging alert error occurred:  " & errMsg as text & " Num: " & errorNumber as text
            --display alert "Sorry, you've entered an invalid password. Please try again."
            return 0
        end try
    end checkPasswd:


Obviously the values are also sent as senders to other functions in the program, but I don't think they're relevant. I can post them if needed.

Offline

 

#2 2019-11-21 07:16:22 pm

Shane Stanley
Member
From:: Australia
Registered: 2002-12-07
Posts: 6062

Re: Safety of sharing my open source app if it works with password

If your AppleScript code is part of an class loaded by an Xcode project, then you have no problem. if it's a script you're loading some other way, then it may retain the password in the property.


Shane Stanley <sstanley@myriad-com.com.au>
www.macosxautomation.com/applescript/apps/
latenightsw.com

Offline

 

#3 2019-11-21 09:27:54 pm

andrewbluepiano
Member
Registered: 2019-11-20
Posts: 10
Website

Re: Safety of sharing my open source app if it works with password

Very rusty with Xcode, and my experience was with Swift v1 & v2, so not sure if its a class. I greped over all the files and it doesn't seem to be retained, but here's the project higherarchy just in case.

I also added in display alerts to test and it doesn't seem to be retained, but I had to specifically address the fact that my check boxes were retaining their checked status across runs, which is why I got worried about this.

FluxBB bbcode

Last edited by andrewbluepiano (2019-11-21 09:29:03 pm)

Offline

 

#4 2019-11-21 09:33:52 pm

Shane Stanley
Member
From:: Australia
Registered: 2002-12-07
Posts: 6062

Re: Safety of sharing my open source app if it works with password

If it's a class file, it will contain property parent : class "NSObject" (or some other parent class).


Shane Stanley <sstanley@myriad-com.com.au>
www.macosxautomation.com/applescript/apps/
latenightsw.com

Offline

 

#5 2019-11-21 09:49:09 pm

andrewbluepiano
Member
Registered: 2019-11-20
Posts: 10
Website

Re: Safety of sharing my open source app if it works with password

script ArtifactFinder
   
    property parent : class "NSObject"


Has been there since the beginning. All set I assume?

Last edited by andrewbluepiano (2019-11-21 09:49:27 pm)

Offline

 

#6 2019-11-21 11:54:31 pm

Shane Stanley
Member
From:: Australia
Registered: 2002-12-07
Posts: 6062

Re: Safety of sharing my open source app if it works with password

Yes.


Shane Stanley <sstanley@myriad-com.com.au>
www.macosxautomation.com/applescript/apps/
latenightsw.com

Offline

 

#7 2019-11-22 12:56:58 am

andrewbluepiano
Member
Registered: 2019-11-20
Posts: 10
Website

Re: Safety of sharing my open source app if it works with password

Thank you! I had a strange socket based event loop running for hours on my Mac this morning from nowhere, and was worried I had somehow published the PW to GitHub

Last edited by andrewbluepiano (2019-11-22 12:57:14 am)

Offline

 

Board footer

Powered by FluxBB

RSS (new topics) RSS (active topics)