Implement local auth query

joefarebrother · joefarebrother · commit 8bd79908a61c · 2024-01-30T16:49:55.000Z
diff --git a/java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll
@@ -0,0 +1,40 @@
+/** Definitions for the insecure local authentication query. */
+
+import java
+
+/** A base class that is used as a callback for biometric authentication. */
+private class AuthenticationCallbackClass extends Class {
+  AuthenticationCallbackClass() {
+    this.hasQualifiedName("android.hardware.fingerprint",
+      "FingerprintManager$AuthenticationCallback")
+    or
+    this.hasQualifiedName("android.hardware.biometrics", "BiometricPrompt$AuthenticationCallback")
+  }
+}
+
+/** An implementation of the `onAuthenticationSucceeded` method for an authentication callback. */
+class AuthenticationSuccessCallback extends Method {
+  AuthenticationSuccessCallback() {
+    this.getDeclaringType().getASupertype+() instanceof AuthenticationCallbackClass and
+    this.hasName("onAuthenticationSucceeded")
+  }
+
+  /** Gets the parameter containing the `authenticationResult` */
+  Parameter getResultParameter() { result = this.getParameter(0) }
+
+  /** Gets a use of the result parameter that's used in a `super` call to the base `AuthenticationCallback` class. */
+  private VarAccess getASuperResultUse() {
+    exists(SuperMethodCall sup |
+      sup.getEnclosingCallable() = this and
+      result = sup.getArgument(0) and
+      result = this.getResultParameter().getAnAccess() and
+      this.getDeclaringType().getASupertype() instanceof AuthenticationCallbackClass
+    )
+  }
+
+  /** Gets a use of the result parameter, other than one used in a `super` call. */
+  VarAccess getAResultUse() {
+    result = this.getResultParameter().getAnAccess() and
+    not result = this.getASuperResultUse()
+  }
+}
diff --git a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Insecure local authentication
+ * @description Local authentication that does not make use of a `CryptoObject` can be bypassed.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity ...TODO
+ * @precision high
+ * @id java/android/insecure-local-authentication
+ * @tags security
+ *       external/cwe/cwe-287
+ */
+
+import java
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+from AuthenticationSuccessCallback c
+where not exists(c.getAResultUse())
+select c, "This authentication callback does not use its result for a cryptographic operation."
