Add android certificate pinning query

joefarebrother · joefarebrother · commit 17348fbd3231 · 2022-12-09T13:41:17.000Z
diff --git a/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll
@@ -0,0 +1,56 @@
+import java
+import semmle.code.xml.AndroidManifest
+import semmle.code.java.dataflow.TaintTracking
+import HttpsUrls
+
+class AndroidNetworkSecurityConfigFile extends XmlFile {
+  AndroidNetworkSecurityConfigFile() {
+    exists(AndroidApplicationXmlElement app, AndroidXmlAttribute confAttr, string confName |
+      confAttr.getElement() = app and
+      confAttr.getValue() = "@xml/" + confName and
+      this.getRelativePath() = "res/xml/" + confName + ".xml" and
+      this.getARootElement().getName() = "network-security-config"
+    )
+  }
+}
+
+predicate isAndroid() { exists(AndroidManifestXmlFile m) }
+
+predicate trustedDomain(string domainName) {
+  exists(
+    AndroidNetworkSecurityConfigFile confFile, XmlElement domConf, XmlElement domain,
+    XmlElement trust
+  |
+    domConf.getFile() = confFile and
+    domConf.getName() = "domain-config" and
+    domain.getParent() = domConf and
+    domain.getName() = "domain" and
+    domain.getACharactersSet().getCharacters() = domainName and
+    trust.getParent() = domConf and
+    trust.getName() = ["trust-anchors", "pin-set"]
+  )
+}
+
+private class UntrustedUrlConfig extends TaintTracking::Configuration {
+  UntrustedUrlConfig() { this = "UntrustedUrlConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    exists(string d | trustedDomain(d)) and
+    exists(string lit | lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() |
+      lit.matches("%://%") and // it's a URL
+      not exists(string dom | trustedDomain(dom) and lit.matches("%" + dom + "%"))
+    )
+  }
+
+  override predicate isSink(DataFlow::Node node) { node instanceof UrlOpenSink }
+}
+
+predicate missingPinning(DataFlow::Node node) {
+  isAndroid() and
+  node instanceof UrlOpenSink and
+  (
+    not exists(string s | trustedDomain(s))
+    or
+    exists(UntrustedUrlConfig conf | conf.hasFlow(_, node))
+  )
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql b/java/ql/src/experimental/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Android Missing Certificate Pinning
+ * @description Network communication should use certificate pinning.
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @id java/android/missingcertificate-pinning
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import java
+import semmle.code.java.security.AndroidCertificatePinningQuery
+
+from DataFlow::Node node
+where missingPinning(node)
+select node, "This network call does not implement certificate pinning."
