PrivateKeyDetector.java

/*
 * Copyright (C) 2012 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.tools.lint.checks;

import com.android.annotations.NonNull;
import com.android.tools.lint.detector.api.Category;
import com.android.tools.lint.detector.api.Context;
import com.android.tools.lint.detector.api.Detector;
import com.android.tools.lint.detector.api.Implementation;
import com.android.tools.lint.detector.api.Issue;
import com.android.tools.lint.detector.api.LintUtils;
import com.android.tools.lint.detector.api.Location;
import com.android.tools.lint.detector.api.Scope;
import com.android.tools.lint.detector.api.Severity;
import com.android.tools.lint.detector.api.Speed;
import com.google.common.base.Charsets;
import com.google.common.io.Files;

import java.io.File;
import java.io.IOException;
import java.util.EnumSet;

/**
 * Looks for packaged private key files.
 */
public class PrivateKeyDetector extends Detector implements Detector.OtherFileScanner {
    /** Packaged private key files */
    public static final Issue ISSUE = Issue.create(
            "PackagedPrivateKey", //$NON-NLS-1$
            "Packaged private key",

            "In general, you should not package private key files inside your app.",

            Category.SECURITY,
            8,
            Severity.FATAL,
            new Implementation(PrivateKeyDetector.class, Scope.OTHER_SCOPE));

    /** Constructs a new {@link PrivateKeyDetector} check */
    public PrivateKeyDetector() {
    }

    private static boolean isPrivateKeyFile(File file) {
        if (!file.isFile() ||
            (!LintUtils.endsWith(file.getPath(), "pem") &&  //NON-NLS-1$
             !LintUtils.endsWith(file.getPath(), "key"))) { //NON-NLS-1$
            return false;
        }

        try {
            String firstLine = Files.readFirstLine(file, Charsets.US_ASCII);
            return firstLine != null &&
                firstLine.startsWith("---") &&     //NON-NLS-1$
                firstLine.contains("PRIVATE KEY"); //NON-NLS-1$
        } catch (IOException ex) {
            // Don't care
        }

        return false;
    }

    // ---- Implements OtherFileScanner ----

    @NonNull
    @Override
    public EnumSet<Scope> getApplicableFiles() {
        return Scope.OTHER_SCOPE;
    }

    @Override
    public void run(@NonNull Context context) {
        if (!context.getProject().getReportIssues()) {
            // If this is a library project not being analyzed, ignore it
            return;
        }

        File file = context.file;
        if (isPrivateKeyFile(file)) {
            String fileName = file.getParentFile().getName() + File.separator
                + file.getName();
            String message = String.format(
                "The `%1$s` file seems to be a private key file. " +
                "Please make sure not to embed this in your APK file.", fileName);
            context.report(ISSUE, Location.create(file), message);
        }
    }

    @NonNull
    @Override
    public Speed getSpeed() {
        return Speed.NORMAL;
    }
}