draft android debug query

Jami Cogswell · Jami Cogswell · commit 6720dba8e7d6 · 2022-08-15T15:49:59.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.qhelp b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.qhelp
@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>The <code>debuggable</code> attribute in the application section of the AndroidManifest.xml file should
+never be enabled in production builds.</p>
+
+<p>ADD MORE/EDIT?</p>
+
+</overview>
+<recommendation>
+
+<p>Make sure that the <code>debuggable</code> attribute is set to false in production builds.</p>
+
+</recommendation>
+<example>
+
+<p>In the example below, the <code>debuggable</code> attribute is set to <code>true</code>.</p>
+
+
+<p>The corrected version sets the <code>debuggable</code> attribute to <code>false</code>.</p>
+
+
+</example>
+<references>
+
+<li>
+  Java SE Documentation:
+  <a href="https://www.oracle.com/java/technologies/javase/codeconventions-statements.html#15395">Compound Statements</a>.
+</li>
+<li>
+  Wikipedia:
+  <a href="https://en.wikipedia.org/wiki/Indentation_style">Indentation style</a>.
+</li>
+
+</references>
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql
@@ -0,0 +1,22 @@
+// TODO: Fix up metadata
+/**
+ * @name Debuggable set to true
+ * @description The 'debuggable' attribute in the application section of the AndroidManifest.xml file should never be enabled in production builds // TODO: edit to be in-line wth guidelines
+ * @kind problem
+ * @problem.severity warning
+ * @id java/android/debuggable-true // TODO: consider editing
+ * @tags security                   // TODO: look into CWEs some more
+ *       external/cwe/cwe-489
+ *       external/cwe/cwe-710
+ * @precision high                  // TODO: adjust once review query results and FP ratio
+ * @security-severity 0.1           // TODO: auto-calculated: https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/
+ */
+
+import java
+import semmle.code.xml.AndroidManifest
+
+from AndroidXmlAttribute androidXmlAttr
+where
+  androidXmlAttr.getName() = "debuggable" and
+  androidXmlAttr.getValue() = "true"
+select androidXmlAttr, "Warning: 'android:debuggable=true' set"
diff --git a/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.expected b/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.expected
@@ -0,0 +1 @@
+| TestTrue.xml:7:5:17:30 | debuggable=true | Warning: 'android:debuggable=true' set |
diff --git a/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.qlref b/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-489/DebuggableAttributeTrue.ql
diff --git a/java/ql/test/query-tests/security/CWE-489/Test.java b/java/ql/test/query-tests/security/CWE-489/Test.java
@@ -0,0 +1,2 @@
+// No need for Java code since only testing XML files
+public class Test { }
diff --git a/java/ql/test/query-tests/security/CWE-489/TestFalse.xml b/java/ql/test/query-tests/security/CWE-489/TestFalse.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    package="com.example.happybirthday">
+
+    <!-- Safe: 'debuggable' set to false -->
+    <application
+        android:debuggable="false"
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.HappyBirthday"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application> <!-- test -->
+
+</manifest>
diff --git a/java/ql/test/query-tests/security/CWE-489/TestNotSet.xml b/java/ql/test/query-tests/security/CWE-489/TestNotSet.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    package="com.example.happybirthday">
+
+    <!-- Safe: 'debuggable' not set at all -->
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.HappyBirthday"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application> <!-- test -->
+
+</manifest>
diff --git a/java/ql/test/query-tests/security/CWE-489/TestTrue.xml b/java/ql/test/query-tests/security/CWE-489/TestTrue.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    package="com.example.happybirthday">
+
+    <!-- Not Safe: 'debuggable' set to true -->
+    <application
+        android:debuggable="true"
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.HappyBirthday"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application> <!-- test -->
+
+</manifest>
diff --git a/java/ql/test/query-tests/security/CWE-489/options b/java/ql/test/query-tests/security/CWE-489/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| TestTrue.xml:7:5:17:30 \| debuggable=true \| Warning: 'android:debuggable=true' set \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE/CWE-489/DebuggableAttributeTrue.ql`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// No need for Java code since only testing XML files`
	`2`	`+public class Test { }`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0`