From 0713ab353a484f9b796262a8ccfc1575b9f7440a Mon Sep 17 00:00:00 2001
From: zinwang <32264884+zinwang@users.noreply.github.com>
Date: Wed, 31 May 2023 11:20:55 +0800
Subject: [PATCH 1/4] Install packages with pip instead of Setuptools in CI
 (#517)

---
 .github/workflows/pytest.yml     | 4 +---
 .github/workflows/smoke_test.yml | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
index 96d548f1..a2fc5a73 100644
--- a/.github/workflows/pytest.yml
+++ b/.github/workflows/pytest.yml
@@ -44,9 +44,7 @@ jobs:
         python -m pip install click==8.0.3
 
     - name: Install Quark-Engine
-      run: |
-        python setup.py build
-        python setup.py install
+      run: pip install .
 
     - name: Test with pytest
       run: |
diff --git a/.github/workflows/smoke_test.yml b/.github/workflows/smoke_test.yml
index b6c94818..1951c7ec 100644
--- a/.github/workflows/smoke_test.yml
+++ b/.github/workflows/smoke_test.yml
@@ -55,9 +55,7 @@ jobs:
       if: matrix.os == 'macOS-latest'
 
     - name: Install Quark-Engine
-      run: |
-        python setup.py build
-        python setup.py install
+      run: pip install .
 
     # Download the latest rule set
     - name: Download rule from https://github.com/quark-engine/quark-rules

From 4ea67e53852b1d5fdbdec80585d4018056cf5daa Mon Sep 17 00:00:00 2001
From: Daisu27 <65787542+Daisu27@users.noreply.github.com>
Date: Wed, 31 May 2023 14:12:45 +0800
Subject: [PATCH 2/4] Add Quark Script CWE-73 (#514)

* Add Quark Script CWE-73

* Add Quark Script CWE-73

* Correct the syntax errors.

* Fix the error of double quotation

* Correct errors discovered after merging.
---
 docs/source/quark_script.rst | 76 ++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst
index 039fb9f7..8a329531 100644
--- a/docs/source/quark_script.rst
+++ b/docs/source/quark_script.rst
@@ -1913,3 +1913,79 @@ Quark Script Result
    $ python CWE-925.py
    CWE-925 is detected in method, Lowasp/sat/agoat/ShowDataReceiver;
    CWE-925 is detected in method, Lcom/android/insecurebankv2/MyBroadCastReceiver;
+
+Detect  CWE-73 in Android Application (ovaa.apk)
+---------------------------------------------------
+
+This scenario seeks to find **External Control of File Name or Path**. See
+`CWE-73 <https://cwe.mitre.org/data/definitions/73.html>`__ for more
+details.
+
+First, we design a detection rule ``accessFileInExternalDir.json`` to spot behavior accessing a file in an external directory.
+
+Second, we use API ``methodInstance.getArguments()`` to get the argument for the file path and use ``quarkResultInstance.isHardcoded(argument)`` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input.
+
+Finally, we use Quark API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)``  to check if any APIs in the caller method for opening files. If **YES**, the APK performs file operations using external input as a path, which may cause CWE-73 vulnerability.
+
+Quark Script CWE-73.py
+=======================
+
+.. code:: python
+
+    from quark.script import runQuarkAnalysis, Rule
+
+    SAMPLE_PATH = "ovaa.apk"
+    RULE_PATH = "accessFileInExternalDir.json"
+
+    OPEN_FILE_API = [
+        "Landroid/os/ParcelFileDescriptor;",                   # Class name
+        "open",                                                # Method name   
+        "(Ljava/io/File; I)Landroid/os/ParcelFileDescriptor;"  # Descriptor
+    ]
+
+    ruleInstance = Rule(RULE_PATH)
+    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
+
+    for accessExternalDir in quarkResult.behaviorOccurList:
+        filePath = accessExternalDir.secondAPI.getArguments()[2]
+    
+        if quarkResult.isHardcoded(filePath):
+            continue
+
+        caller = accessExternalDir.methodCaller
+        result = quarkResult.findMethodInCaller(caller, OPEN_FILE_API)
+
+        if result:
+            print("CWE-73 is detected in method, ", caller.fullName)
+         
+Quark Rule: accessFileInExternalDir.json
+=========================================
+
+.. code-block:: json
+
+    {
+        "crime": "Access a file in an external directory",
+        "permission": [],
+        "api": [
+            {
+                "class": "Landroid/os/Environment;",
+                "method": "getExternalStorageDirectory",
+                "descriptor": "()Ljava/io/File;"
+            },
+            {
+                "class": "Ljava/io/File;",
+                "method": "<init>",
+                "descriptor": "(Ljava/io/File;Ljava/lang/String;)V"
+            }
+        ],
+        "score": 1,
+        "label": []
+    }
+
+Quark Script Result
+=====================
+
+.. code-block:: TEXT
+
+   $ python CWE-73.py
+   CWE-73 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor;

From 0d2df69c6d24480b47f7ca32d404be5dfe942f33 Mon Sep 17 00:00:00 2001
From: Daisu27 <65787542+Daisu27@users.noreply.github.com>
Date: Wed, 31 May 2023 15:01:38 +0800
Subject: [PATCH 3/4]  Add document link of CWE-73 showcase to the README
 (#518)

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index ede6b3bb..633a7d25 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@
 *   [CWE-020](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-20-in-android-application-diva-apk)  Improper Input Validation 
 *   [CWE-022](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-22-in-android-application-ovaa-apk-and-insecurebankv2-apk)  Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 
 *   [CWE-023](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-23-in-android-application-ovaa-apk-and-insecurebankv2-apk)  Relative Path Traversal
+*   [CWE-073](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-73-in-android-application-ovaa-apk)   External Control of File Name or Path 
 *   [CWE-088](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-88-in-android-application-vuldroid-apk)  Improper Neutralization of Argument Delimiters in a Command
 *   [CWE-089](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-89-in-android-application-androgoat-apk)  Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 
 *   [CWE-094](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-94-in-android-application-ovaa-apk)  Improper Control of Generation of Code ('Code Injection') 

From 7e86744c8795a86da66d0ec55e6ff9492d6fa735 Mon Sep 17 00:00:00 2001
From: sidra-asa <sasakikung@gmail.com>
Date: Wed, 31 May 2023 05:11:24 +0800
Subject: [PATCH 4/4] Update version number to v23.5.1

---
 quark/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quark/__init__.py b/quark/__init__.py
index 0df16ace..ed5472f8 100644
--- a/quark/__init__.py
+++ b/quark/__init__.py
@@ -1 +1 @@
-__version__ = "23.4.1"
+__version__ = "23.5.1"