diff --git a/src/main/java/com/bartek/esa/core/di/PluginModule.java b/src/main/java/com/bartek/esa/core/di/PluginModule.java index 00e1a80..c2c7dde 100644 --- a/src/main/java/com/bartek/esa/core/di/PluginModule.java +++ b/src/main/java/com/bartek/esa/core/di/PluginModule.java @@ -1,10 +1,7 @@ package com.bartek.esa.core.di; import com.bartek.esa.core.archetype.Plugin; -import com.bartek.esa.core.plugin.AllowBackupPlugin; -import com.bartek.esa.core.plugin.DebuggablePlugin; -import com.bartek.esa.core.plugin.LoggingPlugin; -import com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin; +import com.bartek.esa.core.plugin.*; import com.bartek.esa.core.xml.XmlHelper; import com.bartek.esa.file.matcher.GlobMatcher; import dagger.Module; @@ -47,4 +44,10 @@ public class PluginModule { public Plugin permissionRaceConditionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) { return new PermissionsRaceConditionPlugin(globMatcher, xmlHelper); } + + @Provides + @IntoSet + public Plugin secureRandomPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) { + return new SecureRandomPlugin(globMatcher, xmlHelper); + } } diff --git a/src/main/java/com/bartek/esa/core/plugin/SecureRandomPlugin.java b/src/main/java/com/bartek/esa/core/plugin/SecureRandomPlugin.java new file mode 100644 index 0000000..bcefe42 --- /dev/null +++ b/src/main/java/com/bartek/esa/core/plugin/SecureRandomPlugin.java @@ -0,0 +1,38 @@ +package com.bartek.esa.core.plugin; + +import com.bartek.esa.core.archetype.JavaPlugin; +import com.bartek.esa.core.model.enumeration.Severity; +import com.bartek.esa.core.xml.XmlHelper; +import com.bartek.esa.file.matcher.GlobMatcher; +import com.github.javaparser.ast.CompilationUnit; +import com.github.javaparser.ast.NodeList; +import com.github.javaparser.ast.expr.Expression; +import com.github.javaparser.ast.expr.ObjectCreationExpr; +import com.github.javaparser.ast.visitor.VoidVisitorAdapter; + +import javax.inject.Inject; + +public class SecureRandomPlugin extends JavaPlugin { + + @Inject + public SecureRandomPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) { + super(globMatcher, xmlHelper); + } + + @Override + public void run(CompilationUnit compilationUnit) { + compilationUnit.accept(new VoidVisitorAdapter() { + @Override + public void visit(ObjectCreationExpr objectCreation, Void arg) { + String identifier = objectCreation.getType().getName().getIdentifier(); + NodeList arguments = objectCreation.getArguments(); + + if(identifier.equals("SecureRandom") && arguments.isNonEmpty()) { + addIssue(Severity.VULNERABILITY, getLineNumberFromExpression(objectCreation), objectCreation.toString()); + } + + super.visit(objectCreation, arg); + } + }, null); + } +} diff --git a/src/main/resources/description.properties b/src/main/resources/description.properties index e96b19e..5f75bcc 100644 --- a/src/main/resources/description.properties +++ b/src/main/resources/description.properties @@ -46,3 +46,7 @@ com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin=Potential permissions There are declared custom permissions in AndroidManifest.xml and the minimal API version is set to less than 21.\n\ It means that declared permissions can be obtained by malicious application installed before and without need of having 1proper signature.\n\ Consider setting minimal API version to 21 at least. + +com.bartek.esa.core.plugin.SecureRandomPlugin=Initializing SecureRandom object with custom seed. \n\ + Specifying custom seed for SecureRandom can produce predictable sequence of numbers. \n\ + Please create SecureRandom object without any arguments instead. \ No newline at end of file