Add theoretical security checks to every script available on the lock screen

[seanbudd]

Link to issue number:

None

Summary of the issue:

NVDA may cache or directly access objects below the lock screen while Windows is locked.
As a result, without security checks, secure information may be leaked while Windows is locked.
"Secure objects" refer to NVDAObjects which may contain secure information: i.e. objects below the lock screen while Windows is locked.

In 2022.2.4, additional security checks were added to api.setReviewCursor to prevent secure objects from being set as the review cursor.
The results of api.setReviewCursor are not acknowledged, meaning theoretically a cached secure object may be announced.

Similar issues exist for other scripts available on the lock screen.
A thorough review of every script available on the lock screen is required.

There are no known exploits related to the theoretical issues that this PR attempts to solve.

Description of user facing changes

None

Description of development approach

A thorough review of every script available on the lock screen was performed.

Additional security checks were added to ensure that no secure objects or text from secure objects are cached or announced when activating a script available on the lock screen.

Testing strategy:

Test on alpha for an extensive period, as these changes are minor but widespread and hard to test manually.

Known issues with pull request:

None

Change log entries:

None required

Code Review Checklist:

• Pull Request description:
  • description is up to date
  • change log entries
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• API is compatible with existing add-ons.
• Documentation:
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• UX of all users considered:
  • Speech
  • Braille
  • Low Vision
  • Different web browsers
  • Localization in other languages / culture than English
• Security precautions taken.

[seanbudd]

cc @CyrilleB79

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• FAIL: Lint check. See test results for more information.
• FAIL: System tests (tags: installer NVDA). See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/g0cia660694pbl0y/artifacts/output/nvda_snapshot_pr14211-26727,72ed16fe.exe
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 0.8,
  INSTALL_END 0.8,
  BUILD_START 0.0,
  BUILD_END 22.1,
  TESTSETUP_START 0.0,
  TESTSETUP_END 0.2,
  TEST_START 0.0,
  TEST_END 13.6,
  FINISH_END 0.2

See test results for failed build of commit 72ed16feb5

[feerrenrut]

Overall this looks good.

I didn't comment all changes, but it would be good to have an accurate log mesage when the scripts fail due to security. Additionally, for the user, it may be more friendly to supply a specific UI message.

Additionally, the consistency of the security explainer comments is good, perhaps link them all back to the set of safescripts.

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: Unit tests.
• PASS: Lint check.
• FAIL: System tests (tags: installer NVDA). See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/tu68fu4xj3f8ag94/artifacts/output/nvda_snapshot_pr14211-26797,f4d95116.exe
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 0.8,
  INSTALL_END 0.9,
  BUILD_START 0.0,
  BUILD_END 22.6,
  TESTSETUP_START 0.0,
  TESTSETUP_END 0.2,
  TEST_START 0.0,
  TEST_END 13.8,
  FINISH_END 0.2

See test results for failed build of commit f4d9511645

[feerrenrut]

I think it's best to be explicit when that the script is expected to return after checking whether the info can be exposed. Trying to prevent future regressions by making the intent explicit.
I didn't mark all the cases where return in missing. It would be safest to ensure every ui.reviewMessage(gui.blockAction.Context.WINDOWS_LOCKED.translatedMessage) should be followed by a return, and if not comment on why a different pattern is followed.

[feerrenrut]

How does the other branch handle a locked session? E.G. foreground = api.getForegroundObject(), will foreground be None?

[seanbudd]

I have tested reporting the title on the lock screen. "Lock Screen Window" and "Magnifier" were reported correctly from the lock screen and sign-in screen. I'm not sure how gracefully this fails.