-
Notifications
You must be signed in to change notification settings - Fork 139
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create effect source for Classes with DFA annotations
Summary: Sources exported through the Manifest can have every Intent extra attacker controlled. When a class is exported through DFA, example, https://www.internalfb.com/code/fbsource/[c399f7a2de139677a650bc2fdd21e02510214002]/fbandroid/java/com/instagram/urlhandlers/emailconfirm/EmailConfirmExternalUrlHandlerActivity.java?lines=60-66 The only parts that are attacker controlled of the URL are the parameters that are in the template of the UriPattern. Therefore we want superset of attacker controlled data which is `ExportedOrDfaComponent` while also leaving the subset `ExportedComponent` for example when we try and detect if a Serialized class is sent via an Intent (which is impossible over DFA which only allows strings). In addition by switching from a feature (`via-public-dfa-scheme`) to effect sources meaning that a switch of accessScope would show up in diff analysis. Reviewed By: anwesht Differential Revision: D62640787 fbshipit-source-id: 67d37b3ba631747baf149b71df09d8776b2f48f1
- Loading branch information
1 parent
0daa39d
commit 732c0a9
Showing
2 changed files
with
130 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
/* | ||
* Copyright (c) Meta Platforms, Inc. and affiliates. | ||
* | ||
* This source code is licensed under the MIT license found in the | ||
* LICENSE file in the root directory of this source tree. | ||
*/ | ||
|
||
#include <mariana-trench/Constants.h> | ||
#include <mariana-trench/Model.h> | ||
#include <mariana-trench/model-generator/DFASourceGenerator.h> | ||
|
||
namespace marianatrench { | ||
|
||
namespace { | ||
bool is_class_accessible_via_dfa(const DexClass* clazz) { | ||
if (!clazz->get_anno_set()) { | ||
return false; | ||
} | ||
|
||
auto dfa_annotation_type = | ||
marianatrench::constants::get_dfa_annotation_type(); | ||
for (const auto& annotation : clazz->get_anno_set()->get_annotations()) { | ||
if (!annotation->type() || | ||
annotation->type()->str() != dfa_annotation_type) { | ||
continue; | ||
} | ||
|
||
auto public_scope = marianatrench::constants::get_public_access_scope(); | ||
for (const DexAnnotationElement& element : annotation->anno_elems()) { | ||
if (element.string->str() == "enforceScope" && | ||
element.encoded_value->as_value() == 0) { | ||
return true; | ||
} | ||
|
||
if (element.string->str() == "accessScope" && | ||
element.encoded_value->show() == public_scope) { | ||
return true; | ||
} | ||
} | ||
} | ||
return false; | ||
} | ||
} // namespace | ||
|
||
DFASourceGenerator::DFASourceGenerator(Context& context) | ||
: ModelGenerator("dfa_source_generator", context) {} | ||
|
||
std::vector<Model> DFASourceGenerator::emit_method_models( | ||
const Methods& methods) { | ||
ConcurrentSet<const DexClass*> dfa_classes; | ||
for (auto& scope : DexStoreClassesIterator(context_.stores)) { | ||
walk::parallel::classes(scope, [&dfa_classes](DexClass* clazz) { | ||
if (is_class_accessible_via_dfa(clazz)) { | ||
dfa_classes.emplace(clazz); | ||
} | ||
}); | ||
} | ||
|
||
ConcurrentSet<const DexClass*> nested_dfa_classes; | ||
for (auto& scope : DexStoreClassesIterator(context_.stores)) { | ||
walk::parallel::classes( | ||
scope, [&dfa_classes, &nested_dfa_classes](DexClass* clazz) { | ||
for (const DexClass* exported_class : dfa_classes) { | ||
auto dex_klass_prefix = exported_class->get_name()->str_copy(); | ||
dex_klass_prefix.erase(dex_klass_prefix.length() - 1); | ||
|
||
if (boost::starts_with(show(clazz), dex_klass_prefix)) { | ||
nested_dfa_classes.emplace(clazz); | ||
} | ||
} | ||
}); | ||
} | ||
|
||
dfa_classes.insert(nested_dfa_classes.begin(), nested_dfa_classes.end()); | ||
|
||
std::vector<Model> models; | ||
for (const auto* dex_klass : dfa_classes) { | ||
// Mark all public and protected methods in the class as exported. | ||
for (const auto* dex_callee : dex_klass->get_all_methods()) { | ||
if (dex_callee == nullptr) { | ||
continue; | ||
} | ||
|
||
if (dex_callee->get_access() & DexAccessFlags::ACC_PRIVATE) { | ||
continue; | ||
} | ||
|
||
const auto* callee = methods.get(dex_callee); | ||
if (callee == nullptr) { | ||
continue; | ||
} | ||
|
||
Model model(callee, context_); | ||
model.add_call_effect_source( | ||
AccessPath(Root(Root::Kind::CallEffectExploitability)), | ||
generator::source( | ||
context_, | ||
/* kind */ "DfaComponent"), | ||
*context_.heuristics); | ||
models.push_back(model); | ||
} | ||
} | ||
return models; | ||
} | ||
|
||
} // namespace marianatrench |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
/* | ||
* Copyright (c) Meta Platforms, Inc. and affiliates. | ||
* | ||
* This source code is licensed under the MIT license found in the | ||
* LICENSE file in the root directory of this source tree. | ||
*/ | ||
|
||
#pragma once | ||
|
||
#include <mariana-trench/model-generator/ModelGenerator.h> | ||
|
||
namespace marianatrench { | ||
|
||
class DFASourceGenerator : public ModelGenerator { | ||
public: | ||
explicit DFASourceGenerator(Context& context); | ||
|
||
std::vector<Model> emit_method_models(const Methods&) override; | ||
|
||
private: | ||
std::string resources_directory_; | ||
}; | ||
|
||
} // namespace marianatrench |