Add Quark Script CWE-73 (ev-flow#514)

Daisu27 · web-flow · commit 4ea67e53852b · 2023-05-31T14:12:45.000+08:00
* Add Quark Script CWE-73

* Add Quark Script CWE-73

* Correct the syntax errors.

* Fix the error of double quotation

* Correct errors discovered after merging.
diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst
@@ -1913,3 +1913,79 @@ Quark Script Result
    $ python CWE-925.py
    CWE-925 is detected in method, Lowasp/sat/agoat/ShowDataReceiver;
    CWE-925 is detected in method, Lcom/android/insecurebankv2/MyBroadCastReceiver;
+
+Detect  CWE-73 in Android Application (ovaa.apk)
+---------------------------------------------------
+
+This scenario seeks to find **External Control of File Name or Path**. See
+`CWE-73 <https://cwe.mitre.org/data/definitions/73.html>`__ for more
+details.
+
+First, we design a detection rule ``accessFileInExternalDir.json`` to spot behavior accessing a file in an external directory.
+
+Second, we use API ``methodInstance.getArguments()`` to get the argument for the file path and use ``quarkResultInstance.isHardcoded(argument)`` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input.
+
+Finally, we use Quark API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)``  to check if any APIs in the caller method for opening files. If **YES**, the APK performs file operations using external input as a path, which may cause CWE-73 vulnerability.
+
+Quark Script CWE-73.py
+=======================
+
+.. code:: python
+
+    from quark.script import runQuarkAnalysis, Rule
+
+    SAMPLE_PATH = "ovaa.apk"
+    RULE_PATH = "accessFileInExternalDir.json"
+
+    OPEN_FILE_API = [
+        "Landroid/os/ParcelFileDescriptor;",                   # Class name
+        "open",                                                # Method name   
+        "(Ljava/io/File; I)Landroid/os/ParcelFileDescriptor;"  # Descriptor
+    ]
+
+    ruleInstance = Rule(RULE_PATH)
+    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
+
+    for accessExternalDir in quarkResult.behaviorOccurList:
+        filePath = accessExternalDir.secondAPI.getArguments()[2]
+    
+        if quarkResult.isHardcoded(filePath):
+            continue
+
+        caller = accessExternalDir.methodCaller
+        result = quarkResult.findMethodInCaller(caller, OPEN_FILE_API)
+
+        if result:
+            print("CWE-73 is detected in method, ", caller.fullName)
+         
+Quark Rule: accessFileInExternalDir.json
+=========================================
+
+.. code-block:: json
+
+    {
+        "crime": "Access a file in an external directory",
+        "permission": [],
+        "api": [
+            {
+                "class": "Landroid/os/Environment;",
+                "method": "getExternalStorageDirectory",
+                "descriptor": "()Ljava/io/File;"
+            },
+            {
+                "class": "Ljava/io/File;",
+                "method": "<init>",
+                "descriptor": "(Ljava/io/File;Ljava/lang/String;)V"
+            }
+        ],
+        "score": 1,
+        "label": []
+    }
+
+Quark Script Result
+=====================
+
+.. code-block:: TEXT
+
+   $ python CWE-73.py
+   CWE-73 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor;
