Add taint parameter and change rules

app/src/main/java/co/ostorlab/insecure_app/BugRule.java

@@ -8,7 +8,7 @@ abstract public class BugRule {
 
     public void setContext(Context context){ this.context = context;}
     public Context getContext(){ return context;}
-    abstract public void run() throws Exception;
+    abstract public void run(String input) throws Exception;
     abstract public String getDescription();
     public String toString()
     {

app/src/main/java/co/ostorlab/insecure_app/BugRuleCaller.java

@@ -35,9 +35,9 @@ <T extends BugRule> void addRule(T rule){
         rules.add(rule);
     }
 
-    void callRules() throws Exception{
+    void callRules(String user_input) throws Exception{
         for(final BugRule rule: rules){
-            runInThread(rule);
+            runInThread(rule, user_input);
         }
     }
 
@@ -50,11 +50,11 @@ String listBugRules() throws Exception{
         return buffer.toString();
     }
 
-    private void runInThread(final BugRule rule) throws Exception {
+    private void runInThread(final BugRule rule, String user_input) throws Exception {
         new Thread(new Runnable() {
             public void run() {
                 try {
-                    rule.run();
+                    rule.run(user_input);
                 }
                 catch (Exception e) {
                     e.printStackTrace();

app/src/main/java/co/ostorlab/insecure_app/MainActivity.java

@@ -4,6 +4,7 @@
 import android.view.View;
 import android.widget.Button;
 import android.widget.TextView;
+import android.widget.EditText;
 
 import androidx.appcompat.app.AppCompatActivity;
 
@@ -39,7 +40,8 @@
 
 public class MainActivity extends AppCompatActivity {
     private TextView outputView;
-    private Button runAllButton ;
+    private Button runAllButton;
+    private EditText inputField;
 
     @Override
     protected void onCreate(Bundle savedInstanceState) {
@@ -50,8 +52,10 @@ protected void onCreate(Bundle savedInstanceState) {
         // Trigger flutter directly when the app starts.
         triggerFlutter();
 
+
         final Button runAllButton = findViewById(R.id.runAllId);
         final Button runAllFlutterButton = findViewById(R.id.runAllFlutterId);
+        final EditText inputField = findViewById(R.id.editText);
         runAllFlutterButton.setOnClickListener(new View.OnClickListener() {
             @Override
             public void onClick(View view) {
@@ -62,8 +66,10 @@ public void onClick(View view) {
         runAllButton.setOnClickListener(new View.OnClickListener() {
             @Override
             public void onClick(View view) {
+                String user_input = inputField.getText().toString();
                 outputView.setText("Running \n");
-                executeAllRules();
+
+                executeAllRules(user_input);
             }
         });
 
@@ -73,7 +79,7 @@ private void triggerFlutter(){
                 FlutterActivity.createDefaultIntent(MainActivity.this)
         );
     }
-    private void executeAllRules() {
+    private void executeAllRules(String user_input) {
         BugRuleCaller caller = new BugRuleCaller(getApplicationContext());
         outputView.append("Adding rules ...\n");
         caller.addRule(new ECBModeCipher());
@@ -106,7 +112,7 @@ private void executeAllRules() {
         caller.addRule(new RegisterReceiverExported(this));
 
         try {
-            caller.callRules();
+            caller.callRules(user_input);
             outputView.append(caller.listBugRules());
 
         } catch (Exception e){

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/AESCipher.java

@@ -19,8 +19,11 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception{
+    public void run(String user_input) throws Exception{
         String clearText = "Jan van Eyck was here 1434";
+        if (user_input.length() != 0){
+            clearText = user_input;
+        }
         String key = "ThisIs128bitSize";
         SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES");
         Cipher cipher = Cipher.getInstance("AES");

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ArrayCall.java

@@ -13,7 +13,7 @@ public class ArrayCall extends BugRule {
     private static final String TAG = ArrayCall.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
 
         int[] ages = new int[5];
         handle_array(ages, 5, 0);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintManagerVulnerability.java

@@ -12,7 +12,7 @@
 public final class BiometricFingerprintManagerVulnerability extends BugRule {
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         Context context = getContext();
 //        The class FingerprintManager
         FingerprintManager fingerprintManager = (FingerprintManager) context.getSystemService(Context.FINGERPRINT_SERVICE);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/BiometricFingerprintPromptVulnerability.java

@@ -17,7 +17,7 @@ public BiometricFingerprintPromptVulnerability(FragmentActivity activity) {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         Context context = getContext();
 
         BiometricPrompt.AuthenticationCallback authenticationCallback = new BiometricPrompt.AuthenticationCallback() {

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ClearTextTraffic.java

@@ -13,7 +13,7 @@ public class ClearTextTraffic extends BugRule {
     private static final String TAG = ClearTextTraffic.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         OkHttpClient client = new OkHttpClient.Builder()
                 .build();
         Request request = new Request.Builder()

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/CommandExec.java

@@ -8,11 +8,16 @@ public class CommandExec extends BugRule {
     private static final String TAG = CommandExec.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
 
         String domainName = "google.com";
         String command = "";
 
+        // Tainted command.
+        if (user_input.length() != 0){
+            executeCommand(command, null);
+        }
+
         // command contains chmod
         command = "chmod 777" + domainName;
         executeCommand(command, null);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/DexClassLoaderCall.java

@@ -21,7 +21,20 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
+        /*
+            Dex class loading from user input
+        */
+        if (user_input.length() != 0){
+            String apkFile = Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + "user_input";
+            DexClassLoader classLoader1 = new DexClassLoader(
+                apkFile,
+                apkFile,
+                apkFile,
+                ClassLoader.getSystemClassLoader());
+            classLoader1.loadClass("a.b.c");
+        }
+
         /*
             Dex class loading from external storage
          */

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ECBModeCipher.java

@@ -19,8 +19,11 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception{
+    public void run(String user_input) throws Exception{
         String clearText = "Jan van Eyck was here 1434";
+        if (user_input.length() != 0){
+            clearText = user_input;
+        }
         String key = "ThisIs128bitSize";
         SecretKeySpec skeySpec = new SecretKeySpec(key.getBytes(), "AES");
         Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING");

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HardcodedUrlInUrl.java

@@ -19,7 +19,15 @@ public String get_url() {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
+        if (user_input.length() != 0){
+            ContextCompat.getMainExecutor(getContext()).execute(()  -> {
+                Log.i(TAG, String.format("Message: %s", user_input));
+                WebView webView = new WebView(getContext());
+                webView.loadUrl(user_input);
+            });
+        }
+
         ContextCompat.getMainExecutor(getContext()).execute(()  -> {
             Log.i(TAG, String.format("Message: %s", get_url()));
             WebView webView = new WebView(getContext());

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/HashCall.java

@@ -9,7 +9,7 @@ public class HashCall extends BugRule {
     private static final String TAG = HashCall.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
 
         String monMessage = "Ostorlab hidden message";
 

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ImplicitPendingIntentVulnerability.java

@@ -7,7 +7,7 @@
 
 public class ImplicitPendingIntentVulnerability extends BugRule {
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         // Create an implicit base Intent and wrap it in a PendingIntent
 
         Intent base = new Intent("ACTION_FOO");

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureCommands.java

@@ -8,7 +8,10 @@ public class InsecureCommands extends BugRule {
     private static final String TAG = InsecureCommands.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
+        if (user_input.length() != 0){
+            executeCommand(user_input, null);
+        }
         executeCommand("chmod 755 test_file", "/data/data/");
         executeCommand("ping -c 3 www.ostorlab.co", "/sdcard/ostorlab");
     }

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureFilePermissions.java

@@ -15,12 +15,18 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         String filename = "test_filename";
         openFileOutputWorldReadable(filename);
         openFileOutputWorldWritable(filename);
         setReadableAll(filename);
         setWritableAll(filename);
+        if (user_input.length() != 0){
+            openFileOutputWorldReadable(user_input);
+            openFileOutputWorldWritable(user_input);
+            setReadableAll(user_input);
+            setWritableAll(user_input);
+        }
     }
 
     private void openFileOutputWorldReadable(String filename) throws Exception {

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureRandom.java

@@ -8,7 +8,7 @@
 
 public final class InsecureRandom extends BugRule {
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         SecureRandom secureRandom = new SecureRandom();
         Random random = new Random();
         random = new Random(12345);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/InsecureSharedPreferences.java

@@ -15,7 +15,7 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception{
+    public void run(String user_input) throws Exception{
         String myPreference = "myPreference";
         getContext().getSharedPreferences("PrivateOnly", Context.MODE_PRIVATE);
         getContext().getSharedPreferences("WorldReadableOnly", Context.MODE_WORLD_READABLE);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/IntentCall.java

@@ -8,7 +8,7 @@ public class IntentCall extends BugRule {
     private static final String TAG = IntentCall.class.toString();
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         Intent intent = new Intent("co.ostorlab");
         intent.putExtra("token", "SuperSecretToken");
         getContext().sendBroadcast(intent);

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MemoryCorruption.java

@@ -22,7 +22,7 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception{
+    public void run(String user_input) throws Exception{
         String input = String.join("", Collections.nCopies(200, "()"));
         triggerStackOverflow(input);
     }

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/MobileOnlyDownloadManager.java

@@ -18,7 +18,7 @@ public final class MobileOnlyDownloadManager extends BugRule {
         private static final String TAG = co.ostorlab.insecure_app.bugs.calls.MobileOnlyDownloadManager.class.toString();
 
         @Override
-        public void run() throws Exception {
+        public void run(String user_input) throws Exception {
             // True Positive
             startDownloadManager(DownloadManager.Request.NETWORK_MOBILE);
             // False Positive

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PackageContextCall.java

@@ -25,7 +25,7 @@ public String getDescription() {
     }
 
     @Override
-    public void run() {
+    public void run(String user_input) {
         Context context = getContext();
         PackageManager packageManager = context.getPackageManager();
 

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/ParcelableMemoryCorruption.java

@@ -52,7 +52,7 @@ public void writeToParcel(android.os.Parcel parcel, int i) {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         Parcel tmp = Parcel.obtain();
         MemoryObjectParcelable var = new MemoryObjectParcelable(tmp);
     }

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathClassLoaderCall.java

@@ -18,7 +18,15 @@ public String getDescription() {
     }
 
     @Override
-    public void run() throws Exception{
+    public void run(String user_input) throws Exception{
+        /*
+            Path class loading from external storage
+        */
+        if (user_input.length() != 0){
+            String apkFile = Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + user_input;
+            PathClassLoader classLoader1 = new PathClassLoader(apkFile, ClassLoader.getSystemClassLoader());
+            classLoader1.loadClass("a.b.c");
+        }
         /*
             Path class loading from external storage
          */

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/PathTraversalVulnerability.java

@@ -62,7 +62,16 @@ public ParcelFileDescriptor openFile(Uri uri, @NonNull String mode) throws FileN
 
     }
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
+        if (user_input.length() != 0){
+            Provider taint_provider = new Provider();
+            Uri.Builder taint_builder = new Uri.Builder();
+            taint_builder.scheme("https");
+            taint_builder.authority(user_input);
+            Uri uri = taint_builder.build();
+            taint_provider.openFile(uri, "not used parameter");
+        }
+
         Provider provider = new Provider();
         Uri.Builder builder = new Uri.Builder();
         builder.scheme("https");

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/RegisterReceiverExported.java

@@ -34,7 +34,7 @@ public RegisterReceiverExported(FragmentActivity mActivity) {
     }
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
         IntentFilter intentFilter = new IntentFilter(WifiManager.WIFI_STATE_CHANGED_ACTION);
         mActivity.registerReceiver(new WifiStateReceiver(), intentFilter, Context.RECEIVER_EXPORTED);
     }

app/src/main/java/co/ostorlab/insecure_app/bugs/calls/SQLiteDatabaseCall.java

@@ -9,13 +9,16 @@
 public class SQLiteDatabaseCall extends BugRule {
 
     @Override
-    public void run() throws Exception {
+    public void run(String user_input) throws Exception {
 
         MySQLiteOpenHelper mySQLiteOpenHelper = new MySQLiteOpenHelper(this.getContext());
         SQLiteDatabase db = mySQLiteOpenHelper.getWritableDatabase();
         mySQLiteOpenHelper.createTable();
         String insert_query = "INSERT INTO accounts(name, amount) VALUES(?, ?)";
         db.execSQL(insert_query, new Object[]{"Jack", 3000});
+        if (user_input.length() != 0){
+            db.execSQL(user_input, new Object[]{"Taint", 3001});
+        }
         mySQLiteOpenHelper.dropTable();
         db.close();