Merge pull request #32 from Ostorlab/feature/secure_path_traversal

Add secure implementation of path traversal.

app/build.gradle

@@ -38,6 +38,7 @@ android {
             path "CMakeLists.txt"
         }
     }
+    namespace 'co.ostorlab.insecure_app'
 }
 
 String storageUrl = System.env.FLUTTER_STORAGE_BASE_URL ?:

app/src/main/java/co/ostorlab/insecure_app/MainActivity.java

@@ -26,6 +26,7 @@
 import co.ostorlab.insecure_app.bugs.calls.PathClassLoaderCall;
 import co.ostorlab.insecure_app.bugs.calls.PathTraversalVulnerability;
 import co.ostorlab.insecure_app.bugs.calls.RegisterReceiverExported;
+import co.ostorlab.insecure_app.bugs.calls.SecurePathTraversal;
 import co.ostorlab.insecure_app.bugs.calls.SerializableMemoryCorruption;
 import co.ostorlab.insecure_app.bugs.calls.StaticIV;
 import co.ostorlab.insecure_app.bugs.calls.HardcodedUrlInUrl;
@@ -119,6 +120,9 @@ private void executeAllRules(String user_input) {
         caller.addRule(new SqlInjection());
         caller.addRule(new RegisterBroadcastReceiverDynamically(this));
         caller.addRule(new InsecureWifiApi(this));
+        // Secure
+        caller.addRule(new SecurePathTraversal());
+
 
         try {
             caller.callRules(user_input);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java

@@ -12,12 +12,11 @@
 
 import java.io.File;
 import java.io.FileNotFoundException;
-import java.net.URI;
 
 import co.ostorlab.insecure_app.BugRule;
 
 public class PathTraversalVulnerability extends BugRule {
-    public class Provider extends ContentProvider{
+    public class Provider extends ContentProvider {
 
         @Override
         public boolean onCreate() {
@@ -58,12 +57,11 @@ public ParcelFileDescriptor openFile(Uri uri, @NonNull String mode) throws FileN
             File file = new File(Environment.getExternalStorageDirectory(), uri.getLastPathSegment());
             return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY);
         }
-
-
     }
+
     @Override
     public void run(String user_input) throws Exception {
-        if (user_input.isEmpty() == false){
+        if (!user_input.isEmpty()) {
             Provider taint_provider = new Provider();
             Uri.Builder taint_builder = new Uri.Builder();
             taint_builder.scheme("https");

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SecurePathTraversal.java

@@ -0,0 +1,98 @@
+package co.ostorlab.insecure_app.bugs.calls;
+
+import android.content.ContentProvider;
+import android.content.ContentValues;
+import android.database.Cursor;
+import android.net.Uri;
+import android.os.Environment;
+import android.os.ParcelFileDescriptor;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.Nullable;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+
+import co.ostorlab.insecure_app.BugRule;
+
+
+public class SecurePathTraversal extends BugRule {
+
+    private static final String BASE_DIRECTORY = "/storage/";
+
+    public class Provider extends ContentProvider {
+
+        @Override
+        public boolean onCreate() {
+            return false;
+        }
+
+        @Nullable
+        @Override
+        public Cursor query(@NonNull Uri uri, @Nullable String[] strings, @Nullable String s, @Nullable String[] strings1, @Nullable String s1) {
+            return null;
+        }
+
+        @Nullable
+        @Override
+        public String getType(@NonNull Uri uri) {
+            return null;
+        }
+
+        @Nullable
+        @Override
+        public Uri insert(@NonNull Uri uri, @Nullable ContentValues contentValues) {
+            return null;
+        }
+
+        @Override
+        public int delete(@NonNull Uri uri, @Nullable String s, @Nullable String[] strings) {
+            return 0;
+        }
+
+        @Override
+        public int update(@NonNull Uri uri, @Nullable ContentValues contentValues, @Nullable String s, @Nullable String[] strings) {
+            return 0;
+        }
+
+        @Override
+        public ParcelFileDescriptor openFile(Uri uri, @NonNull String mode) throws FileNotFoundException {
+            try {
+                // Insecure pattern are from the methods getPath, getAbsolutePath, toPath, toAbsolutePath.
+                File file = new File(BASE_DIRECTORY, uri.getLastPathSegment()).getCanonicalFile();
+                if (!file.getPath().startsWith(BASE_DIRECTORY)) {
+                    throw new SecurityException("Attempt to access a file outside the base directory.");
+                }
+                return ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY);
+            } catch (IOException e) {
+                throw new FileNotFoundException("File not found or inaccessible.");
+            }
+        }
+    }
+
+    @Override
+    public void run(String user_input) throws Exception {
+        if (!user_input.isEmpty()) {
+            Provider taint_provider = new Provider();
+            Uri.Builder taint_builder = new Uri.Builder();
+            taint_builder.scheme("https");
+            taint_builder.authority(user_input);
+            Uri uri = taint_builder.build();
+            taint_provider.openFile(uri, "not used parameter");
+        }
+
+        Provider provider = new Provider();
+        Uri.Builder builder = new Uri.Builder();
+        builder.scheme("https");
+        builder.authority("ostorlab.co");
+        Uri uri = builder.build();
+
+        provider.openFile(uri, "not used parameter");
+    }
+
+    @Override
+    public String getDescription() {
+        return "Secure call to getLastPathSegment with Uri parameter";
+    }
+}

app/src/test/java/co/ostorlab/insecure_app/BugRuleCallerTest.java

@@ -25,11 +25,11 @@
 import co.ostorlab.insecure_app.bugs.calls.ECBModeCipher;
 import co.ostorlab.insecure_app.bugs.calls.InsecureRandom;
 import co.ostorlab.insecure_app.bugs.calls.IntentCall;
-import co.ostorlab.insecure_app.bugs.calls.MemoryCorruption;
 import co.ostorlab.insecure_app.bugs.calls.MobileOnlyDownloadManager;
 import co.ostorlab.insecure_app.bugs.calls.ParcelableMemoryCorruption;
 import co.ostorlab.insecure_app.bugs.calls.PathClassLoaderCall;
 import co.ostorlab.insecure_app.bugs.calls.PathTraversalVulnerability;
+import co.ostorlab.insecure_app.bugs.calls.SecurePathTraversal;
 import co.ostorlab.insecure_app.bugs.calls.SerializableMemoryCorruption;
 import co.ostorlab.insecure_app.bugs.calls.StaticIV;
 import co.ostorlab.insecure_app.bugs.calls.HardcodedUrlInUrl;
@@ -40,11 +40,9 @@
 import co.ostorlab.insecure_app.bugs.calls.BiometricFingerprintManagerVulnerability;
 import co.ostorlab.insecure_app.bugs.calls.PackageContextCall;
 
-import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyInt;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
 import androidx.fragment.app.FragmentActivity;
@@ -243,4 +241,12 @@ public void ruleCaller_PackageContext_NoExceptionThrown() throws Exception{
 
         Assert.assertEquals(caller.getRules().size(), 1);
     }
+
+    @Test
+    public void ruleCaller_SecurePathTraversal_NoExceptionThrown() throws Exception{
+        caller.addRule(new SecurePathTraversal());
+        caller.callRules("");
+
+        Assert.assertEquals(caller.getRules().size(), 1);
+    }
 }

build.gradle

@@ -25,3 +25,4 @@ allprojects {
 task clean(type: Delete) {
     delete rootProject.buildDir
 }
+