From 1c6a6fa76650e5f5176f6938ce7cfdada3a342d1 Mon Sep 17 00:00:00 2001
From: elsapet <elizabeth@bearer.sh>
Date: Fri, 2 Feb 2024 13:03:51 +0200
Subject: [PATCH] feat(java): add screenshot prevention rule

---
 .../workflows/canary_integration_tests.yml    |  1 +
 .github/workflows/integration_tests.yml       |  1 +
 rules/java/android/prevent_screenshot.yml     | 49 +++++++++++++++++++
 tests/java/android/prevent_screenshot/test.js | 18 +++++++
 .../prevent_screenshot/testdata/main.java     | 13 +++++
 5 files changed, 82 insertions(+)
 create mode 100644 rules/java/android/prevent_screenshot.yml
 create mode 100644 tests/java/android/prevent_screenshot/test.js
 create mode 100644 tests/java/android/prevent_screenshot/testdata/main.java

diff --git a/.github/workflows/canary_integration_tests.yml b/.github/workflows/canary_integration_tests.yml
index 90f1dd754..bdc9e7e4d 100644
--- a/.github/workflows/canary_integration_tests.yml
+++ b/.github/workflows/canary_integration_tests.yml
@@ -29,6 +29,7 @@ jobs:
             "ruby/third_parties",
             "java/lang",
             "java/spring",
+            "java/android",
             "php/lang",
             "php/symfony",
             "php/third_parties",
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
index 3f4b4ab51..36cc99a18 100644
--- a/.github/workflows/integration_tests.yml
+++ b/.github/workflows/integration_tests.yml
@@ -36,6 +36,7 @@ jobs:
             "ruby/third_parties",
             "java/lang",
             "java/spring",
+            "java/android",
             "php/lang",
             "php/symfony",
             "php/third_parties",
diff --git a/rules/java/android/prevent_screenshot.yml b/rules/java/android/prevent_screenshot.yml
new file mode 100644
index 000000000..dc07502c8
--- /dev/null
+++ b/rules/java/android/prevent_screenshot.yml
@@ -0,0 +1,49 @@
+imports:
+  - java_shared_lang_instance
+patterns:
+  - pattern: |
+      $<GET_WINDOW>.$<METHOD>($<FLAG_SECURE>$<...>);
+    filters:
+      - variable: GET_WINDOW
+        detection: java_android_prevent_screenshot_get_window
+      - variable: METHOD
+        values:
+          - setFlags
+          - addFlags
+      - variable: FLAG_SECURE
+        detection: java_android_prevent_screenshot_flag_secure
+auxiliary:
+  - id: java_android_prevent_screenshot_get_window
+    patterns:
+      - getWindow()
+      - pattern: $<_>.getWindow()
+  - id: java_android_prevent_screenshot_flag_secure
+    patterns:
+      - WindowManager.LayoutParams.FLAG_SECURE;
+languages:
+  - java
+severity: warning
+metadata:
+  description: Permissive screenshot option set
+  remediation_message: |
+    ## Description
+
+    Android may take screenshots of the current application view for display purposes, for example when an application is sent to the background.
+    Whether or not Android is permitted to take such screenshots is determined by the FLAG_SECURE option.
+
+    By default, the FLAG_SECURE option is not set and no screenshots are taken.
+
+    For best security practices, we should not set the FLAG_SECURE to true and we should never allow Android to take screenshots of the current application activity.
+
+    ## Remediations
+
+    ❌ Do not set the FLAG_SECURE option, to ensure that Android does not take screenshots of potentially sensitive information
+
+    ## References
+
+    - []()
+
+  cwe_id:
+    - 200
+  id: java_android_prevent_screenshot
+  documentation_url: https://docs.bearer.com/reference/rules/java_android_prevent_screenshot
diff --git a/tests/java/android/prevent_screenshot/test.js b/tests/java/android/prevent_screenshot/test.js
new file mode 100644
index 000000000..fed647f00
--- /dev/null
+++ b/tests/java/android/prevent_screenshot/test.js
@@ -0,0 +1,18 @@
+const {
+  createNewInvoker,
+  getEnvironment,
+} = require("../../../helper.js")
+const { ruleId, ruleFile, testBase } = getEnvironment(__dirname)
+
+describe(ruleId, () => {
+  const invoke = createNewInvoker(ruleId, ruleFile, testBase)
+
+  test("tapjacking", () => {
+    const testCase = "main.java"
+
+    const results = invoke(testCase)
+
+    expect(results.Missing).toEqual([])
+    expect(results.Extra).toEqual([])
+  })
+})
\ No newline at end of file
diff --git a/tests/java/android/prevent_screenshot/testdata/main.java b/tests/java/android/prevent_screenshot/testdata/main.java
new file mode 100644
index 000000000..79e75bdd3
--- /dev/null
+++ b/tests/java/android/prevent_screenshot/testdata/main.java
@@ -0,0 +1,13 @@
+public class FlagSecure extends Activity {
+  public void bad() {
+    // bearer:expected java_android_prevent_screenshot
+    getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE,
+                         WindowManager.LayoutParams.FLAG_SECURE);
+    // bearer:expected java_android_prevent_screenshot
+    activity.getWindow().addFlags(WindowManager.LayoutParams.FLAG_SECURE);
+  }
+
+  public void ok() {
+    activity.getWindow().addFlags("some other flag");
+  }
+}
\ No newline at end of file