From c0c1577f1ceadb2156a2135112e778626327c451 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bart=C5=82omiej=20Pluta?= Date: Fri, 12 Apr 2019 10:51:28 +0200 Subject: [PATCH] 10: Add WorldAccessPermissionsPlugin --- .../com/bartek/esa/core/di/PluginModule.java | 6 +++ .../plugin/WorldAccessPermissionsPlugin.java | 39 +++++++++++++++++++ src/main/resources/description.properties | 7 +++- 3 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 src/main/java/com/bartek/esa/core/plugin/WorldAccessPermissionsPlugin.java diff --git a/src/main/java/com/bartek/esa/core/di/PluginModule.java b/src/main/java/com/bartek/esa/core/di/PluginModule.java index b4d75e3..cb9e906 100644 --- a/src/main/java/com/bartek/esa/core/di/PluginModule.java +++ b/src/main/java/com/bartek/esa/core/di/PluginModule.java @@ -125,4 +125,10 @@ public class PluginModule { public Plugin sqlInjectionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) { return new SqlInjectionPlugin(globMatcher, xmlHelper); } + + @Provides + @IntoSet + public Plugin worldAccessPermissionsPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) { + return new WorldAccessPermissionsPlugin(globMatcher, xmlHelper); + } } diff --git a/src/main/java/com/bartek/esa/core/plugin/WorldAccessPermissionsPlugin.java b/src/main/java/com/bartek/esa/core/plugin/WorldAccessPermissionsPlugin.java new file mode 100644 index 0000000..fb1c8d1 --- /dev/null +++ b/src/main/java/com/bartek/esa/core/plugin/WorldAccessPermissionsPlugin.java @@ -0,0 +1,39 @@ +package com.bartek.esa.core.plugin; + +import com.bartek.esa.core.archetype.JavaPlugin; +import com.bartek.esa.core.model.enumeration.Severity; +import com.bartek.esa.core.xml.XmlHelper; +import com.bartek.esa.file.matcher.GlobMatcher; +import com.github.javaparser.ast.CompilationUnit; +import com.github.javaparser.ast.expr.FieldAccessExpr; +import com.github.javaparser.ast.expr.NameExpr; + +import javax.inject.Inject; +import java.util.Map; + +public class WorldAccessPermissionsPlugin extends JavaPlugin { + + @Inject + public WorldAccessPermissionsPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) { + super(globMatcher, xmlHelper); + } + + @Override + public void run(CompilationUnit compilationUnit) { + compilationUnit.findAll(NameExpr.class).stream() + .filter(expr -> expr.getName().getIdentifier().matches("MODE_WORLD_(READABLE|WRITEABLE)")) + .forEach(expr -> addIssue(Severity.ERROR, getModel(expr), getLineNumberFromExpression(expr), expr.toString())); + + compilationUnit.findAll(FieldAccessExpr.class).stream() + .filter(expr -> expr.getName().getIdentifier().matches("MODE_WORLD_(READABLE|WRITEABLE)")) + .forEach(expr -> addIssue(Severity.ERROR, getModel(expr), getLineNumberFromExpression(expr), expr.toString())); + } + + private Map getModel(NameExpr expression) { + return Map.of("exprName", expression.getName().getIdentifier()); + } + + private Map getModel(FieldAccessExpr expression) { + return Map.of("exprName", expression.getName().getIdentifier()); + } +} diff --git a/src/main/resources/description.properties b/src/main/resources/description.properties index 5d67f0b..a9057cb 100644 --- a/src/main/resources/description.properties +++ b/src/main/resources/description.properties @@ -110,4 +110,9 @@ com.bartek.esa.core.plugin.IntentFilterPlugin=Implemented intent filter.\n\ Also be aware, that intent filter is not a security tool. It can be easily omitted. com.bartek.esa.core.plugin.SqlInjectionPlugin='rawQuery' method detected. Potential SQL injection attack.\n\ - 'rawQuery' method should be avoided because of possibility to inject SQL code. \ No newline at end of file + 'rawQuery' method should be avoided because of possibility to inject SQL code. + +com.bartek.esa.core.plugin.WorldAccessPermissionsPlugin=World access permissions detected. Potential data leakage.\n\ + The deprecated '${exprName}' constant has been found and it can be risky to use.\n\ + It grants world access permission to selected resource.\n\ + Consider using less permissive mode.a. \ No newline at end of file