Merge pull request #9939 from jcogs33/android-debug-query-inline-tests

Java: query to detect android:debuggable attribute enabled

Author: jcogs33

java/ql/lib/change-notes/2022-08-01-android-manifest-new-predicates.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a new predicate, `isInBuildDirectory`, in the `AndroidManifestXmlFile` class. This predicate detects if the manifest file is located in a build directory.
+* Added a new predicate, `isDebuggable`, in the `AndroidApplicationXmlElement` class. This predicate detects if the application element has its `android:debuggable` attribute enabled.

java/ql/lib/semmle/code/xml/AndroidManifest.qll

@@ -18,6 +18,11 @@ class AndroidManifestXmlFile extends XMLFile {
    * Gets the top-level `<manifest>` element in this Android manifest file.
    */
   AndroidManifestXmlElement getManifestElement() { result = this.getAChild() }
+
+  /**
+   * Holds if this Android manifest file is located in a build directory.
+   */
+  predicate isInBuildDirectory() { this.getFile().getRelativePath().matches("%build%") }
 }
 
 /**
@@ -51,6 +56,17 @@ class AndroidApplicationXmlElement extends XMLElement {
    * Gets a component child element of this `<application>` element.
    */
   AndroidComponentXmlElement getAComponentElement() { result = this.getAChild() }
+
+  /**
+   * Holds if this application element has the attribute `android:debuggable` set to `true`.
+   */
+  predicate isDebuggable() {
+    exists(AndroidXmlAttribute attr |
+      this.getAnAttribute() = attr and
+      attr.getName() = "debuggable" and
+      attr.getValue() = "true"
+    )
+  }
 }
 
 /**

java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.qhelp

@@ -0,0 +1,50 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>The Android manifest file defines configuration settings for Android applications.
+In this file, the <code>android:debuggable</code> attribute of the <code>application</code> element can be used to
+define whether or not the application can be debugged. When set to <code>true</code>, this attribute will allow the
+application to be debugged even when running on a device in user mode.</p>
+
+<p>When a debugger is enabled, it could allow for entry points in the application or reveal sensitive information.
+As a result, <code>android:debuggable</code> should only be enabled during development and should be disabled in
+production builds.</p>
+
+</overview>
+<recommendation>
+
+<p>In Android applications, either set the <code>android:debuggable</code> attribute to <code>false</code>,
+or do not include it in the manifest. The default value, when not included, is <code>false</code>.</p>
+
+</recommendation>
+<example>
+
+<p>In the example below, the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>
+
+<sample src="DebuggableTrue.xml" />
+
+<p>The corrected version sets the <code>android:debuggable</code> attribute to <code>false</code>.</p>
+
+<sample src="DebuggableFalse.xml" />
+
+</example>
+<references>
+
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/manifest-intro">App Manifest Overview</a>.
+</li>
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/application-element#debug">The android:debuggable attribute</a>.
+</li>
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/studio/debug#enable-debug">Enable debugging</a>.
+</li>
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Android debuggable attribute enabled
+ * @description An enabled debugger can allow for entry points in the application or reveal sensitive information.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.2
+ * @id java/android/debuggable-attribute-enabled
+ * @tags security
+ *       external/cwe/cwe-489
+ * @precision very-high
+ */
+
+import java
+import semmle.code.xml.AndroidManifest
+
+from AndroidApplicationXmlElement androidAppElem
+where
+  androidAppElem.isDebuggable() and
+  not androidAppElem.getFile().(AndroidManifestXmlFile).isInBuildDirectory()
+select androidAppElem.getAttribute("debuggable"), "The 'android:debuggable' attribute is enabled."

java/ql/src/Security/CWE/CWE-489/DebuggableFalse.xml

@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- GOOD: 'android:debuggable' set to 'false' -->
+    <application
+        android:debuggable="false">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>

java/ql/src/Security/CWE/CWE-489/DebuggableTrue.xml

@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- BAD: 'android:debuggable' set to 'true' -->
+    <application
+        android:debuggable="true">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>

java/ql/src/change-notes/2022-08-01-android-debug-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `java/android/debuggable-attribute-enabled`, to detect if the `android:debuggable` attribute is enabled in the Android manifest.

java/ql/test/query-tests/security/CWE-489/AndroidManifest.xml

@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    package="com.example.happybirthday">
+
+    <!-- $ hasDebuggableAttributeEnabled --> <application
+        android:debuggable="true"
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.HappyBirthday"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

java/ql/test/query-tests/security/CWE-489/DebuggableAttributeEnabledTest.expected

@@ -0,0 +1,21 @@
+import java
+import semmle.code.xml.AndroidManifest
+import TestUtilities.InlineExpectationsTest
+
+class DebuggableAttributeEnabledTest extends InlineExpectationsTest {
+  DebuggableAttributeEnabledTest() { this = "DebuggableAttributeEnabledTest" }
+
+  override string getARelevantTag() { result = "hasDebuggableAttributeEnabled" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasDebuggableAttributeEnabled" and
+    exists(AndroidApplicationXmlElement androidAppElem |
+      androidAppElem.isDebuggable() and
+      not androidAppElem.getFile().(AndroidManifestXmlFile).isInBuildDirectory()
+    |
+      androidAppElem.getAttribute("debuggable").getLocation() = location and
+      element = androidAppElem.getAttribute("debuggable").toString() and
+      value = ""
+    )
+  }
+}