Bug 458063

Summary:	KDE Connect clipboard sharing syncs passwords copied from password managers
Product:	[Applications] kdeconnect	Reporter:	Firlaev-Hans <firlaevhanskde.upstream314>
Component:	common	Assignee:	Yuchen Shi <bolshaya_schists>
Status:	RESOLVED FIXED
Severity:	normal	CC:	bolshaya_schists, kde, mk.mateng, nicolas.fella
Priority:	NOR
Version:	22.04.3
Target Milestone:	---
Platform:	Fedora RPMs
OS:	Linux
Latest Commit:	https://invent.kde.org/network/kdeconnect-kde/commit/b9a089344efeb68ae4e6b5d780a39de398208fe3	Version Fixed In:
Sentry Crash Report:

Description Firlaev-Hans 2022-08-19 12:36:07 UTC

SUMMARY
Also see https://www.reddit.com/r/kde/comments/ws99fn/can_i_make_kde_connect_ignore_copied_passwords/
Basically, I want to keep using the clipboard sync feature of KDE Connect, but unfortunately it means that passwords copied from my password manager will also be synced to the connected devices and, unlike on the machine they were copied from, won't be automatically deleted from their clipboards after 10 seconds. This is a pretty big security issue for anyone using both a PM and a synced clipboard.
If there's a way KDE Connect could know where a clipboard item came from, it would be great if one could blacklist specific sources (like my Password manager KeepassXC) from being synced to other devices.

STEPS TO REPRODUCE
1. Have a connected device via KDE Connect, with clipboard sharing enabled
2. Let your password manager copy something to the clipboard
3. Check the clipboard on the connected device

OBSERVED RESULT
The copied content (password) is synced to all other devices.
On the "host" machine, password managers like KeepassXC will usually automatically delete the copied password from the clipboard after a few seconds. Also, even within those few seconds, the password doesn't show up in the Klipper history. But on all devices that KDE Connect syncs the clipboard to, the password is permanently added to the clipboard.

EXPECTED RESULT
If possible, KDE Connect should be able to have a blacklist of applications whose clipboard items will not be synced.
Otherwise, it might be possible to get away with only syncing the actual Klipper history and not copied items that aren't added to the history (because KeepassXC passwords aren't, but manually copied stuff would be)

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 36
KDE Plasma Version: 5.25.4
KDE Frameworks Version: 5.96.0
Qt Version: 5.15.5
Kernel Version: 5.18.17-200.fc36.x86_64 (64-bit)
Graphics Platform: Wayland

Comment 1 David Edmundson 2022-08-19 23:21:41 UTC

>If possible, KDE Connect should be able to have a blacklist of applications whose clipboard items will not be synced.

We can't, we don't have know the source.

klipper does have a mechanism supported by some password managers were we filter out any selection which contains a mimetype key application/x-kde-passwordManagerHint

Comment 2 Firlaev-Hans 2022-08-20 08:10:00 UTC

(In reply to David Edmundson from comment #1)
> klipper does have a mechanism supported by some password managers were we
> filter out any selection which contains a mimetype key application/x-kde-passwordManagerHint

Is that something that KDE Connect already filters out, that just isn't supported on the KeePassXC side? Or does KDE Connect still need to implement the filtering?

Comment 3 Nicolas Fella 2022-08-20 08:50:22 UTC

I did implement that a while ago, but ironically people complained that they *do* want to sync their passwords :)

https://invent.kde.org/network/kdeconnect-kde/-/merge_requests/39

Comment 4 Firlaev-Hans 2022-08-20 09:51:08 UTC

(In reply to Nicolas Fella from comment #3)
> I did implement that a while ago, but ironically people complained that they
> *do* want to sync their passwords :)
> 
> https://invent.kde.org/network/kdeconnect-kde/-/merge_requests/39

Could it be made into an option then? Looking at the MR it seems like that was were the discussion was leading but nothing happened after that.
I can definitely see valid points for both sides of the argument, but personally I don't like it when my passwords are visible in plain text in some other device's clipboard history (the thing is that I often have not only my phone, but also my other Linux PC connected via KDE Connect)

Comment 5 Bug Janitor Service 2022-08-25 06:22:06 UTC

A possibly relevant merge request was started @ https://invent.kde.org/network/kdeconnect-kde/-/merge_requests/489

Comment 6 Simon Redman 2022-10-17 21:04:24 UTC

Git commit b9a089344efeb68ae4e6b5d780a39de398208fe3 by Simon Redman, on behalf of Yuchen Shi.
Committed on 17/10/2022 at 21:04.
Pushed by sredman into branch 'master'.

Add config for clipboard plugin on content types to share.

## Summary

This MR adds a config dialog for the Clipboard plugin, where the user can toggle
whether to share password and/or anything else with other devices.

Implements !39

According to previous discussion at !39 (and the bug linked), some users want to
skip sending passwords to other devices while others rely on the existing behavior.
This MR addresses that by allowing users to control those two types separately and
will replace !39 if merged.

![Screenshot with new config dialog](/uploads/3dfc6c6d69b86e6512e6a8948320a839/Screenshot_1661407807.png)

Borrowing the idea from !39, the `x-kde-passwordManagerHint` MIME data hint is used
to determine whether the content is considered secret. I've tested this method with
KeepassXC which [sets this correctly](https://github.com/keepassxreboot/keepassxc/blob/a6d3f973fa8449f0f7dac864b3bd3928c29c649f/src/gui/Clipboard.cpp#L62). See test plan below.

In theory, MIME also can be used to test for images and another checkbox can
be easily added should we decided to support images later. For now though, the
enum and the config supports only passwords or "anything else". Both defaults to true,
thus keeping full backwards compatibility. I've been keeping both unchecked since
I only share in one direction (Android to Linux), which wasn't possible until this MR.
Others may want to make their own choices.

## Test Plan

Please reference the screenshot above for the steps.

From the indicator, right-click and select `Configure`. Select a device from the
left side (or pair one if needed). In "available plugins", make sure "Clipboard"
is checked, and verify that a "Configure" icon button is now shown on the right.

Clicking that icon should bring up the new config dialog, where the two check boxes
can be toggled as desired. Click on "OK" to save and apply the settings. Clicking on
"Defaults" should bring both back to checked (the default behavior).

Copy normal plain text from your favorite text editor and it should be sent to another
device if the "anything else" checkbox is checked. I've tested this on an Android phone
but I see no reason it won't work elsewhere given the code for sending has not been changed.
(Feel free to test on other devices.)

Open KeepassXC and select an entry, right click and select "Copy password". This sets
the MIME hint so it should be treated as a password, controlled by the "passwords" checkbox.
I've toggled the settings multiple times on and off. Once "OK" is clicked, the next clipboard
change should pick up the latest settings.

I've only tested on Linux desktops (Arch Linux) since I do not own a Mac. I don't believe any
OS X application sets `x-kde-passwordManagerHint` at all, so they may be controlled by "anything else".

M +11 -0 plugins/clipboard/CMakeLists.txt
A +56 -0 plugins/clipboard/clipboard_config.cpp [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A +34 -0 plugins/clipboard/clipboard_config.h [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]
A +69 -0 plugins/clipboard/clipboard_config.ui
M +16 -5 plugins/clipboard/clipboardlistener.cpp
M +7 -2 plugins/clipboard/clipboardlistener.h
M +13 -1 plugins/clipboard/clipboardplugin.cpp
M +3 -1 plugins/clipboard/clipboardplugin.h
M +1 -0 plugins/clipboard/kdeconnect_clipboard.json
A +39 -0 plugins/clipboard/kdeconnect_clipboard_config.qml [License: GPL(3+eV) GPL(v3.0) GPL(v2.0)]

https://invent.kde.org/network/kdeconnect-kde/commit/b9a089344efeb68ae4e6b5d780a39de398208fe3