From fdb437552cc0ecc73cee62324c46278054ad65a1 Mon Sep 17 00:00:00 2001
From: Jami Cogswell <jcogs33@Jamis-MacBook-Pro.local>
Date: Fri, 29 Jul 2022 01:10:15 -0400
Subject: [PATCH] clean up android query and tests

---
 .../CWE/CWE-489/DebuggableAttributeTrue.qhelp | 22 ++++------
 .../CWE/CWE-489/DebuggableAttributeTrue.ql    |  4 +-
 .../Security/CWE/CWE-489/DebuggableFalse.xml  |  8 ++++
 .../Security/CWE/CWE-489/DebuggableTrue.xml   |  8 ++++
 .../CWE-489/DebuggableAttributeTrue.expected  |  2 +-
 .../query-tests/security/CWE-489/Test.java    | 41 ++++++++++++++++++-
 .../security/CWE-489/TestFalse.xml            |  2 +-
 .../security/CWE-489/TestNotSet.xml           |  2 +-
 .../query-tests/security/CWE-489/TestTrue.xml |  2 +-
 9 files changed, 70 insertions(+), 21 deletions(-)
 create mode 100644 java/ql/src/Security/CWE/CWE-489/DebuggableFalse.xml
 create mode 100644 java/ql/src/Security/CWE/CWE-489/DebuggableTrue.xml

diff --git a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.qhelp b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.qhelp
index 557c61f43aa..e0e8fbf2d98 100644
--- a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.qhelp
+++ b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.qhelp
@@ -4,35 +4,31 @@
 <qhelp>
 
 <overview>
-<p>The <code>debuggable</code> attribute in the application section of the AndroidManifest.xml file should
-never be enabled in production builds.</p>
-
-<p>ADD MORE/EDIT?</p>
+<p>When a debugger is enabled it could allow for entry points in the application or reveal sensitive information.</p>
 
 </overview>
 <recommendation>
 
-<p>Make sure that the <code>debuggable</code> attribute is set to false in production builds.</p>
+<p>In Android applications either set the <code>android:debuggable</code> attribute to <code>false</code>
+or do not include it in the manifest. The default value when not included is <code>false</code>.</p>
 
 </recommendation>
 <example>
 
-<p>In the example below, the <code>debuggable</code> attribute is set to <code>true</code>.</p>
+<p>In the example below, the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>
 
+<sample src="DebuggableTrue.xml" />
 
-<p>The corrected version sets the <code>debuggable</code> attribute to <code>false</code>.</p>
+<p>The corrected version sets the <code>android:debuggable</code> attribute to <code>false</code>.</p>
 
+<sample src="DebuggableFalse.xml" />
 
 </example>
 <references>
 
 <li>
-  Java SE Documentation:
-  <a href="https://www.oracle.com/java/technologies/javase/codeconventions-statements.html#15395">Compound Statements</a>.
-</li>
-<li>
-  Wikipedia:
-  <a href="https://en.wikipedia.org/wiki/Indentation_style">Indentation style</a>.
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/application-element#debug">The android:debuggable attribute</a>.
 </li>
 
 </references>
diff --git a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql
index 58020bb94d9..a7bacaf4250 100644
--- a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql
+++ b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql
@@ -1,5 +1,5 @@
 /**
- * @name Debuggable attribute enabled
+ * @name Android debuggable attribute enabled
  * @description An enabled debugger can allow for entry points in the application or reveal sensitive information.
  * @kind problem
  * @problem.severity warning
@@ -7,7 +7,7 @@
  * @tags security
  *       external/cwe/cwe-489
  * @precision very-high
- * @security-severity 0.1
+ * @security-severity
  */
 
 import java
diff --git a/java/ql/src/Security/CWE/CWE-489/DebuggableFalse.xml b/java/ql/src/Security/CWE/CWE-489/DebuggableFalse.xml
new file mode 100644
index 00000000000..7de19373bf3
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-489/DebuggableFalse.xml
@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- GOOD: 'android:debuggable' set to false -->
+    <application
+        android:debuggable="false">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>
diff --git a/java/ql/src/Security/CWE/CWE-489/DebuggableTrue.xml b/java/ql/src/Security/CWE/CWE-489/DebuggableTrue.xml
new file mode 100644
index 00000000000..3700d5356ba
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-489/DebuggableTrue.xml
@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- BAD: 'android:debuggable' set to true -->
+    <application
+        android:debuggable="true">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>
diff --git a/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.expected b/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.expected
index 5db8848b4cb..16c82e46225 100644
--- a/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.expected
+++ b/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.expected
@@ -1 +1 @@
-| TestTrue.xml:7:5:17:30 | debuggable=true | Warning: debuggable attribute enabled |
+| TestTrue.xml:7:5:17:30 | debuggable=true | The 'debuggable' attribute is enabled. |
diff --git a/java/ql/test/query-tests/security/CWE-489/Test.java b/java/ql/test/query-tests/security/CWE-489/Test.java
index 273aafc3566..2e81c169877 100644
--- a/java/ql/test/query-tests/security/CWE-489/Test.java
+++ b/java/ql/test/query-tests/security/CWE-489/Test.java
@@ -1,2 +1,39 @@
-// No need for Java code since only testing XML files
-public class Test { }
+package com.example.myapp;
+
+import android.app.Fragment;
+import android.os.Bundle;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.view.ViewGroup;
+import android.widget.Button;
+import androidx.fragment.app.FragmentActivity;
+import androidx.fragment.app.FragmentTransaction;
+
+public class Test extends FragmentActivity {
+
+    @Override
+    public void onCreate(Bundle savedInstance) {
+        try {
+            super.onCreate(savedInstance);
+            final String fname = getIntent().getStringExtra("fname");
+            FragmentTransaction ft = getSupportFragmentManager().beginTransaction();
+            Class<Fragment> fClass = (Class<Fragment>) Class.forName(fname);
+            ft.add(fClass.newInstance(), ""); // hasTaintFlow
+            ft.add(0, Fragment.instantiate(this, fname), null); // hasTaintFlow
+            ft.add(0, Fragment.instantiate(this, fname, null)); // hasTaintFlow
+            ft.add(0, fClass, null, ""); // hasTaintFlow
+            ft.add(0, fClass.newInstance(), ""); // hasTaintFlow
+            ft.attach(fClass.newInstance()); // hasTaintFlow
+            ft.replace(0, fClass, null); // hasTaintFlow
+            ft.replace(0, fClass.newInstance()); // hasTaintFlow
+            ft.replace(0, fClass, null, ""); // hasTaintFlow
+            ft.replace(0, fClass.newInstance(), ""); // hasTaintFlow
+
+            ft.add(Fragment.class.newInstance(), ""); // Safe
+            ft.attach(Fragment.class.newInstance()); // Safe
+            ft.replace(0, Fragment.class.newInstance(), ""); // Safe
+        } catch (Exception e) {
+        }
+    }
+
+}
diff --git a/java/ql/test/query-tests/security/CWE-489/TestFalse.xml b/java/ql/test/query-tests/security/CWE-489/TestFalse.xml
index a66f706a3e7..7ab073147b0 100644
--- a/java/ql/test/query-tests/security/CWE-489/TestFalse.xml
+++ b/java/ql/test/query-tests/security/CWE-489/TestFalse.xml
@@ -3,7 +3,7 @@
     xmlns:tools="http://schemas.android.com/tools"
     package="com.example.happybirthday">
 
-    <!-- Safe: 'debuggable' set to false -->
+    <!-- Safe: 'android:debuggable' set to false -->
     <application
         android:debuggable="false"
         android:allowBackup="true"
diff --git a/java/ql/test/query-tests/security/CWE-489/TestNotSet.xml b/java/ql/test/query-tests/security/CWE-489/TestNotSet.xml
index 9b72165ffed..ca3b3e90d19 100644
--- a/java/ql/test/query-tests/security/CWE-489/TestNotSet.xml
+++ b/java/ql/test/query-tests/security/CWE-489/TestNotSet.xml
@@ -3,7 +3,7 @@
     xmlns:tools="http://schemas.android.com/tools"
     package="com.example.happybirthday">
 
-    <!-- Safe: 'debuggable' not set at all -->
+    <!-- Safe: 'android:debuggable' not set at all -->
     <application
         android:allowBackup="true"
         android:dataExtractionRules="@xml/data_extraction_rules"
diff --git a/java/ql/test/query-tests/security/CWE-489/TestTrue.xml b/java/ql/test/query-tests/security/CWE-489/TestTrue.xml
index dfb3bc9d1b7..01e22894a5a 100644
--- a/java/ql/test/query-tests/security/CWE-489/TestTrue.xml
+++ b/java/ql/test/query-tests/security/CWE-489/TestTrue.xml
@@ -3,7 +3,7 @@
     xmlns:tools="http://schemas.android.com/tools"
     package="com.example.happybirthday">
 
-    <!-- Not Safe: 'debuggable' set to true -->
+    <!-- Not Safe: 'android:debuggable' set to true -->
     <application
         android:debuggable="true"
         android:allowBackup="true"