From 11609c693f844f4b1f96451d18f3578851baa403 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bart=C5=82omiej=20Pluta?= <bartlomiej.p.pluta@gmail.com>
Date: Fri, 5 Apr 2019 23:03:00 +0200
Subject: [PATCH] 10: Create CipherInstancePlugin

---
 .../com/bartek/esa/core/di/PluginModule.java  |  6 ++
 .../esa/core/plugin/CipherInstancePlugin.java | 71 +++++++++++++++++++
 src/main/resources/description.properties     |  8 ++-
 3 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/com/bartek/esa/core/plugin/CipherInstancePlugin.java

diff --git a/src/main/java/com/bartek/esa/core/di/PluginModule.java b/src/main/java/com/bartek/esa/core/di/PluginModule.java
index 1858beb..9c2e8ba 100644
--- a/src/main/java/com/bartek/esa/core/di/PluginModule.java
+++ b/src/main/java/com/bartek/esa/core/di/PluginModule.java
@@ -69,4 +69,10 @@ public class PluginModule {
     public Plugin usesSdkPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
         return new UsesSdkPlugin(globMatcher, xmlHelper);
     }
+
+    @Provides
+    @IntoSet
+    public Plugin cipherInstancePlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
+        return new CipherInstancePlugin(globMatcher, xmlHelper);
+    }
 }
diff --git a/src/main/java/com/bartek/esa/core/plugin/CipherInstancePlugin.java b/src/main/java/com/bartek/esa/core/plugin/CipherInstancePlugin.java
new file mode 100644
index 0000000..1ff6ee2
--- /dev/null
+++ b/src/main/java/com/bartek/esa/core/plugin/CipherInstancePlugin.java
@@ -0,0 +1,71 @@
+package com.bartek.esa.core.plugin;
+
+import com.bartek.esa.core.archetype.JavaPlugin;
+import com.bartek.esa.core.model.enumeration.Severity;
+import com.bartek.esa.core.xml.XmlHelper;
+import com.bartek.esa.file.matcher.GlobMatcher;
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.ImportDeclaration;
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.expr.*;
+
+import javax.inject.Inject;
+import java.util.Optional;
+import java.util.regex.Pattern;
+
+public class CipherInstancePlugin extends JavaPlugin {
+    private static final Pattern ALGORITHM_QUALIFIER = Pattern.compile("^\"\\w+/\\w+/\\w+\"$");
+
+    @Inject
+    public CipherInstancePlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
+        super(globMatcher, xmlHelper);
+    }
+
+    @Override
+    public void run(CompilationUnit compilationUnit) {
+        compilationUnit.findAll(MethodCallExpr.class).stream()
+                .filter(expr -> expr.getName().getIdentifier().equals("getInstance"))
+                .filter(expr -> isCipherMethod(expr, compilationUnit))
+                .filter(expr -> expr.getArguments().isNonEmpty())
+                .filter(expr -> !isFullCipherQualifier(expr.getArguments().get(0).toString()))
+                .forEach(expr -> addIssue(Severity.ERROR, getLineNumberFromExpression(expr), expr.toString()));
+    }
+
+    private boolean isCipherMethod(MethodCallExpr expr, CompilationUnit compilationUnit) {
+        boolean isCipherMethod = expr.getScope()
+                .filter(Expression::isNameExpr)
+                .map(Expression::asNameExpr)
+                .map(NameExpr::getName)
+                .map(SimpleName::getIdentifier)
+                .filter(name -> name.equals("Cipher"))
+                .isPresent();
+
+        if(!isCipherMethod) {
+            isCipherMethod = compilationUnit.findAll(ImportDeclaration.class).stream()
+                    .filter(ImportDeclaration::isStatic)
+                    .filter(e -> e.getName().getIdentifier().equals("getInstance"))
+                    .map(ImportDeclaration::getName)
+                    .map(Name::getQualifier)
+                    .flatMap(Optional::stream)
+                    .map(Node::toString)
+                    .anyMatch(q -> q.equals("javax.crypto.Cipher"));
+        }
+
+        if(!isCipherMethod) {
+            isCipherMethod = compilationUnit.findAll(ImportDeclaration.class).stream()
+                    .filter(ImportDeclaration::isStatic)
+                    .filter(ImportDeclaration::isAsterisk)
+                    .map(ImportDeclaration::getName)
+                    .map(Name::getQualifier)
+                    .flatMap(Optional::stream)
+                    .map(Node::toString)
+                    .anyMatch(q -> q.equals("javax.crypto"));
+        }
+
+        return isCipherMethod;
+    }
+
+    private boolean isFullCipherQualifier(String qualifier) {
+        return ALGORITHM_QUALIFIER.matcher(qualifier).matches();
+    }
+}
diff --git a/src/main/resources/description.properties b/src/main/resources/description.properties
index a19a336..bce4886 100644
--- a/src/main/resources/description.properties
+++ b/src/main/resources/description.properties
@@ -63,4 +63,10 @@ com.bartek.esa.core.plugin.UsesSdkPlugin.NO_USES_SDK=There is no <uses-sdk> defi
 
 com.bartek.esa.core.plugin.UsesSdkPlugin.USES_SDK.NO_MIN_SDK_VERSION=There is no minSdkVersion defined in AndroidManifest.xml file.\n\
   In order to use this tool, minimal SDK version should be provided as the attribute of <uses-sdk> element.\n\
-  For example: <uses-sdk android:minSdkVersion="23">
\ No newline at end of file
+  For example: <uses-sdk android:minSdkVersion="23">
+
+com.bartek.esa.core.plugin.CipherInstancePlugin=Not fully-qualified algorithm name provided in Cipher.getInstance() method.\n\
+  Passing a shortcut instead of fully-qualified algorithm name in Cipher.getInstance() method is not portable across providers\n\
+  and can impact the system low secure than intended to be.\n\
+  Fully-qualified name matches the pattern: algorithm/mode/pattern\n\
+  For example: AES/CBC/PKCS5Padding
\ No newline at end of file