Java : add query to detect insecure loading of Dex File

[ghost]

Loading a DEX library located in a world-readable/ writable directory can cause arbitary code execution vulnerabilities.

This query detects instances where a dexfile from a world readable/writable directory is loaded by the app. Since anyone can write into a world writable directory, the attacker may create a new apk/dex package with the target name and have the application load and execute malicious code.

[intrigus-lgtm]

Out of interest, did you bughunt using this query?

[ghost]

@intrigus-lgtm I found two issues through fuzzy search.

• oversecured/ovaa
• reyhoo/collection

[intrigus-lgtm]

@intrigus-lgtm I found two issues through fuzzy search.

* [oversecured/ovaa](https://github.com/oversecured/ovaa/blob/fd6489dc1356d3edf1b6412601a7560f08822de3/app/src/main/java/oversecured/ovaa/OversecuredApplication.java#L49-L51)

* [reyhoo/collection](https://github.com/reyhoo/collection/blob/5cc0ab1b0596fd7eefb0bf755525c1cc4b8d1579/JavaRXDemo/opensdk/src/main/java/com/chinaums/opensdk/weex/plugin/PluginManager.java#L82-L84)

Nice, but I meant bughunt in the sense of "The Bug Slayer" bounty.

[ghost]

@intrigus-lgtm I don't have access to LGTM. So couldn't run it across all of Github.

[smowton]

Your description talks about file permissions, but the implementation checks whether the apk file is on an external drive instead?

[ghost]

@smowton Since the file permissions are controlled by the OS, and a SD Card is a removable device, a malicious actor can simply modify the content on the SD card to his pleasure. Hence, an external SD card is considered a world readable/writable storage device on Android platforms.

[smowton]

Sure, then the query description should be explicit about what you're actually checking

[smowton]

Hadn't realised the ball was back in my court here. Is there a bounty ticket for this one?

[intrigus-lgtm]

@smowton I think the bounty ticket for this one is:
github/securitylab#232

[smowton]

Thanks, starting an evaluation and passing to seclab to review the results

[ghost]

@pwntester @smowton I have added a few more sinks and some taint flow steps. PTAL.

[ghost]

@smowton Changes done!

[smowton]

Waiting for final review on this one

[aschackmull]

QHelp is missing. There's an example code snippet (java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.java), but no .qhelp file to reference it.

[aschackmull]

Warning: WARNING: Unused variable a (/home/runner/work/semmle-code/semmle-code/ql/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll:87,31-32)

[ghost]

@aschackmull Changes Done!

[ghost]

@intrigus-lgtm changes done. I have also rebased it to the latest main

[ghost]

@smowton changes done!