Update version number to v23.5.1

.github/workflows/pytest.yml

@@ -44,9 +44,7 @@ jobs:
         python -m pip install click==8.0.3
 
     - name: Install Quark-Engine
-      run: |
-        python setup.py build
-        python setup.py install
+      run: pip install .
 
     - name: Test with pytest
       run: |

.github/workflows/smoke_test.yml

@@ -55,9 +55,7 @@ jobs:
       if: matrix.os == 'macOS-latest'
 
     - name: Install Quark-Engine
-      run: |
-        python setup.py build
-        python setup.py install
+      run: pip install .
 
     # Download the latest rule set
     - name: Download rule from https://github.com/quark-engine/quark-rules

README.md

@@ -56,6 +56,7 @@
 *   [CWE-020](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-20-in-android-application-diva-apk)  Improper Input Validation 
 *   [CWE-022](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-22-in-android-application-ovaa-apk-and-insecurebankv2-apk)  Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 
 *   [CWE-023](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-23-in-android-application-ovaa-apk-and-insecurebankv2-apk)  Relative Path Traversal
+*   [CWE-073](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-73-in-android-application-ovaa-apk)   External Control of File Name or Path 
 *   [CWE-088](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-88-in-android-application-vuldroid-apk)  Improper Neutralization of Argument Delimiters in a Command
 *   [CWE-089](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-89-in-android-application-androgoat-apk)  Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 
 *   [CWE-094](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-94-in-android-application-ovaa-apk)  Improper Control of Generation of Code ('Code Injection') 

docs/source/quark_script.rst

@@ -1913,3 +1913,79 @@ Quark Script Result
    $ python CWE-925.py
    CWE-925 is detected in method, Lowasp/sat/agoat/ShowDataReceiver;
    CWE-925 is detected in method, Lcom/android/insecurebankv2/MyBroadCastReceiver;
+
+Detect  CWE-73 in Android Application (ovaa.apk)
+---------------------------------------------------
+
+This scenario seeks to find **External Control of File Name or Path**. See
+`CWE-73 <https://cwe.mitre.org/data/definitions/73.html>`__ for more
+details.
+
+First, we design a detection rule ``accessFileInExternalDir.json`` to spot behavior accessing a file in an external directory.
+
+Second, we use API ``methodInstance.getArguments()`` to get the argument for the file path and use ``quarkResultInstance.isHardcoded(argument)`` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input.
+
+Finally, we use Quark API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)``  to check if any APIs in the caller method for opening files. If **YES**, the APK performs file operations using external input as a path, which may cause CWE-73 vulnerability.
+
+Quark Script CWE-73.py
+=======================
+
+.. code:: python
+
+    from quark.script import runQuarkAnalysis, Rule
+
+    SAMPLE_PATH = "ovaa.apk"
+    RULE_PATH = "accessFileInExternalDir.json"
+
+    OPEN_FILE_API = [
+        "Landroid/os/ParcelFileDescriptor;",                   # Class name
+        "open",                                                # Method name   
+        "(Ljava/io/File; I)Landroid/os/ParcelFileDescriptor;"  # Descriptor
+    ]
+
+    ruleInstance = Rule(RULE_PATH)
+    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
+
+    for accessExternalDir in quarkResult.behaviorOccurList:
+        filePath = accessExternalDir.secondAPI.getArguments()[2]
+
+        if quarkResult.isHardcoded(filePath):
+            continue
+
+        caller = accessExternalDir.methodCaller
+        result = quarkResult.findMethodInCaller(caller, OPEN_FILE_API)
+
+        if result:
+            print("CWE-73 is detected in method, ", caller.fullName)
+
+Quark Rule: accessFileInExternalDir.json
+=========================================
+
+.. code-block:: json
+
+    {
+        "crime": "Access a file in an external directory",
+        "permission": [],
+        "api": [
+            {
+                "class": "Landroid/os/Environment;",
+                "method": "getExternalStorageDirectory",
+                "descriptor": "()Ljava/io/File;"
+            },
+            {
+                "class": "Ljava/io/File;",
+                "method": "<init>",
+                "descriptor": "(Ljava/io/File;Ljava/lang/String;)V"
+            }
+        ],
+        "score": 1,
+        "label": []
+    }
+
+Quark Script Result
+=====================
+
+.. code-block:: TEXT
+
+   $ python CWE-73.py
+   CWE-73 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor;

quark/__init__.py

@@ -1 +1 @@
-__version__ = "23.4.1"
+__version__ = "23.5.1"