10: Create PermissionsRaceConditionPlugin

2019-04-05 14:47:04 +02:00
parent f4ed3e259d
commit 5f7dc6c2c9
3 changed files with 58 additions and 11 deletions
--- a/src/main/java/com/bartek/esa/core/di/PluginModule.java
+++ b/src/main/java/com/bartek/esa/core/di/PluginModule.java
@@ -4,6 +4,7 @@ import com.bartek.esa.core.archetype.Plugin;
 import com.bartek.esa.core.plugin.AllowBackupPlugin;
 import com.bartek.esa.core.plugin.DebuggablePlugin;
 import com.bartek.esa.core.plugin.LoggingPlugin;
+import com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin;
 import com.bartek.esa.core.xml.XmlHelper;
 import com.bartek.esa.file.matcher.GlobMatcher;
 import dagger.Module;
@@ -40,4 +41,10 @@ public class PluginModule {
    public Plugin allowBackupPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
        return new AllowBackupPlugin(globMatcher, xmlHelper);
    }
+
+    @Provides
+    @IntoSet
+    public Plugin permissionRaceConditionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
+        return new PermissionsRaceConditionPlugin(globMatcher, xmlHelper);
+    }
 }
--- a/src/main/java/com/bartek/esa/core/plugin/PermissionsRaceConditionPlugin.java
+++ b/src/main/java/com/bartek/esa/core/plugin/PermissionsRaceConditionPlugin.java
@@ -0,0 +1,35 @@
+package com.bartek.esa.core.plugin;
+
+import com.bartek.esa.core.archetype.AndroidManifestPlugin;
+import com.bartek.esa.core.model.enumeration.Severity;
+import com.bartek.esa.core.xml.XmlHelper;
+import com.bartek.esa.file.matcher.GlobMatcher;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import javax.inject.Inject;
+import javax.xml.xpath.XPathConstants;
+
+import static java.lang.Integer.parseInt;
+
+public class PermissionsRaceConditionPlugin extends AndroidManifestPlugin {
+
+    @Inject
+    public PermissionsRaceConditionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
+        super(globMatcher, xmlHelper);
+    }
+
+    @Override
+    protected void run(Document xml) {
+        boolean isAnyPermissionDefined = ((NodeList) xPath(xml, "/manifest/permission", XPathConstants.NODESET)).getLength() > 0;
+        if(isAnyPermissionDefined) {
+            Node usesSdkNode = (Node) xPath(xml, "/manifest/uses-sdk", XPathConstants.NODE);
+            Node minSdkVersionNode = usesSdkNode.getAttributes().getNamedItem("android:minSdkVersion");
+            int minSdkVersion = parseInt(minSdkVersionNode.getNodeValue());
+            if(minSdkVersion < 21) {
+                addIssue(Severity.VULNERABILITY, null, minSdkVersionNode.toString());
+            }
+        }
+    }
+}
--- a/src/main/resources/description.properties
+++ b/src/main/resources/description.properties
@@ -26,18 +26,23 @@ com.bartek.esa.core.plugin.DebuggablePlugin.NO_ATTR=There is no android:debuggab
  For example: <application android:debuggable="false">

 com.bartek.esa.core.plugin.DebuggablePlugin.NO_FALSE=The android:debuggable is set to 'true'. Potential data leakage. \n\
-  The android:debuggable option in AndroidManifest.xml is set to 'true'. \n\
-  This will cause application to be debuggable and can result in \
-  security issues and data leakage on the production environment. \n\
-  Consider setting it to 'false'.
+The android:debuggable option in AndroidManifest.xml is set to 'true'. \n\
+This will cause application to be debuggable and can result in \
+security issues and data leakage on the production environment. \n\
+Consider setting it to 'false'.

 com.bartek.esa.core.plugin.AllowBackupPlugin.NO_ATTR=There is no android:allowBackup option. Potential data leakage. \n\
-  The android:allowBackup option was not found in the AndroidManifest.xml file. \n\
-  To avoid any potential data theft in the future, please explicitly set this flag to false. \n\
-  The attribute should be placed in <application> tag.\n\
-  For example: <application android:allowBackup="false">
+The android:allowBackup option was not found in the AndroidManifest.xml file. \n\
+To avoid any potential data theft in the future, please explicitly set this flag to false. \n\
+The attribute should be placed in <application> tag.\n\
+For example: <application android:allowBackup="false">

 com.bartek.esa.core.plugin.AllowBackupPlugin.NO_FALSE=The android:allowBackup is set to 'true'. Potential data leakage. \n\
-  The android:allowBackup option in AndroidManifest.xml is set to 'true'. \n\
-  This will allow accessing the backups via adb if device has USB debugging enabled.\n\
-  Consider setting it to 'false'.
+The android:allowBackup option in AndroidManifest.xml is set to 'true'. \n\
+This will allow accessing the backups via adb if device has USB debugging enabled.\n\
+Consider setting it to 'false'.
+
+com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin=Potential permissions race condition vulnerability. \n\
+  There are declared custom permissions in AndroidManifest.xml and the minimal API version is set to less than 21.\n\
+  It means that declared permissions can be obtained by malicious application installed before and without need of having 1proper signature.\n\
+  Consider setting minimal API version to 21 at least.