bartek/esa-tool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

10: Create SecureRandomPlugin

Browse Source
This commit is contained in:
Bartłomiej Pluta
2019-04-05 15:00:20 +02:00
parent 5f7dc6c2c9
commit b3a88821f5
3 changed files with 49 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/main/java/com/bartek/esa/core/di/PluginModule.java
View File

@@ -1,10 +1,7 @@
package com.bartek.esa.core.di; package com.bartek.esa.core.di;
import com.bartek.esa.core.archetype.Plugin; import com.bartek.esa.core.archetype.Plugin;
import com.bartek.esa.core.plugin.AllowBackupPlugin; import com.bartek.esa.core.plugin.*;
import com.bartek.esa.core.plugin.DebuggablePlugin;
import com.bartek.esa.core.plugin.LoggingPlugin;
import com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin;
import com.bartek.esa.core.xml.XmlHelper; import com.bartek.esa.core.xml.XmlHelper;
import com.bartek.esa.file.matcher.GlobMatcher; import com.bartek.esa.file.matcher.GlobMatcher;
import dagger.Module; import dagger.Module;
@@ -47,4 +44,10 @@ public class PluginModule {
public Plugin permissionRaceConditionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) { public Plugin permissionRaceConditionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
return new PermissionsRaceConditionPlugin(globMatcher, xmlHelper); return new PermissionsRaceConditionPlugin(globMatcher, xmlHelper);
} }
@Provides
@IntoSet
public Plugin secureRandomPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
return new SecureRandomPlugin(globMatcher, xmlHelper);
}
} }

38
src/main/java/com/bartek/esa/core/plugin/SecureRandomPlugin.java Normal file
View File

@@ -0,0 +1,38 @@
package com.bartek.esa.core.plugin;
import com.bartek.esa.core.archetype.JavaPlugin;
import com.bartek.esa.core.model.enumeration.Severity;
import com.bartek.esa.core.xml.XmlHelper;
import com.bartek.esa.file.matcher.GlobMatcher;
import com.github.javaparser.ast.CompilationUnit;
import com.github.javaparser.ast.NodeList;
import com.github.javaparser.ast.expr.Expression;
import com.github.javaparser.ast.expr.ObjectCreationExpr;
import com.github.javaparser.ast.visitor.VoidVisitorAdapter;
import javax.inject.Inject;
public class SecureRandomPlugin extends JavaPlugin {
@Inject
public SecureRandomPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
super(globMatcher, xmlHelper);
}
@Override
public void run(CompilationUnit compilationUnit) {
compilationUnit.accept(new VoidVisitorAdapter<Void>() {
@Override
public void visit(ObjectCreationExpr objectCreation, Void arg) {
String identifier = objectCreation.getType().getName().getIdentifier();
NodeList<Expression> arguments = objectCreation.getArguments();
if(identifier.equals("SecureRandom") && arguments.isNonEmpty()) {
addIssue(Severity.VULNERABILITY, getLineNumberFromExpression(objectCreation), objectCreation.toString());
}
super.visit(objectCreation, arg);
}
}, null);
}
}

4
src/main/resources/description.properties
View File

@@ -46,3 +46,7 @@ com.bartek.esa.core.plugin.PermissionsRaceConditionPlugin=Potential permissions
There are declared custom permissions in AndroidManifest.xml and the minimal API version is set to less than 21.\n\ There are declared custom permissions in AndroidManifest.xml and the minimal API version is set to less than 21.\n\
It means that declared permissions can be obtained by malicious application installed before and without need of having 1proper signature.\n\ It means that declared permissions can be obtained by malicious application installed before and without need of having 1proper signature.\n\
Consider setting minimal API version to 21 at least. Consider setting minimal API version to 21 at least.
com.bartek.esa.core.plugin.SecureRandomPlugin=Initializing SecureRandom object with custom seed. \n\
Specifying custom seed for SecureRandom can produce predictable sequence of numbers. \n\
Please create SecureRandom object without any arguments instead.