hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14752 from masterofnow/LoadClassNoSignatureCheck

Browse Source 
Java: Insecure Loading of Class in Android App without Package Signature Checking
This commit is contained in:
Tony Torralba
2023-12-22 10:24:34 +01:00
committed by GitHub
parent e43fafc249 0fd09759df
commit 67f8bcce44
9 changed files with 258 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
java/ql/test/experimental/query-tests/security/CWE-470/BadClassLoader.java Normal file
View File

@@ -0,0 +1,27 @@
package poc.sample.classloader;
import android.app.Application;
import android.content.pm.PackageInfo;
import android.content.Context;
import android.util.Log;
public class BadClassLoader extends Application {
@Override
public void onCreate() {
super.onCreate();
for (PackageInfo p : getPackageManager().getInstalledPackages(0)) {
try {
if (p.packageName.startsWith("some.package.")) {
Context appContext = createPackageContext(p.packageName,
CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY);
ClassLoader classLoader = appContext.getClassLoader();
Object result = classLoader.loadClass("some.package.SomeClass")
.getMethod("someMethod")
.invoke(null);
}
} catch (Exception e) {
Log.e("Class loading failed", e.toString());
}
}
}
}

31
java/ql/test/experimental/query-tests/security/CWE-470/GoodClassLoader.java Normal file
View File

@@ -0,0 +1,31 @@
package poc.sample.classloader;
import android.app.Application;
import android.content.pm.PackageInfo;
import android.content.Context;
import android.content.pm.PackageManager;
import android.util.Log;
public class GoodClassLoader extends Application {
@Override
public void onCreate() {
super.onCreate();
PackageManager pm = getPackageManager();
for (PackageInfo p : pm.getInstalledPackages(0)) {
try {
if (p.packageName.startsWith("some.package.") &&
(pm.checkSignatures(p.packageName, getApplicationContext().getPackageName()) == PackageManager.SIGNATURE_MATCH)
) {
Context appContext = createPackageContext(p.packageName,
CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY);
ClassLoader classLoader = appContext.getClassLoader();
Object result = classLoader.loadClass("some.package.SomeClass")
.getMethod("someMethod")
.invoke(null);
}
} catch (Exception e) {
Log.e("Class loading failed", e.toString());
}
}
}
}

12
java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.expected Normal file
View File

@@ -0,0 +1,12 @@
edges
| BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | BadClassLoader.java:17:47:17:56 | appContext : Context |
| BadClassLoader.java:17:47:17:56 | appContext : Context | BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader |
| BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader | BadClassLoader.java:18:37:18:47 | classLoader |
nodes
| BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | semmle.label | createPackageContext(...) : Context |
| BadClassLoader.java:17:47:17:56 | appContext : Context | semmle.label | appContext : Context |
| BadClassLoader.java:17:47:17:73 | getClassLoader(...) : ClassLoader | semmle.label | getClassLoader(...) : ClassLoader |
| BadClassLoader.java:18:37:18:47 | classLoader | semmle.label | classLoader |
subpaths
#select
| BadClassLoader.java:18:37:18:47 | classLoader | BadClassLoader.java:15:42:16:75 | createPackageContext(...) : Context | BadClassLoader.java:18:37:18:47 | classLoader | Class loaded from a $@ without signature check | BadClassLoader.java:15:42:16:75 | createPackageContext(...) | third party library |

1
java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql

2
java/ql/test/experimental/query-tests/security/CWE-470/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/google-android-9.0.0