Skip to content

Optimize the document of Quark Script CWE-940#831

Merged
haeter525 merged 1 commit into
ev-flow:masterfrom
pulorsok:master
Nov 21, 2025
Merged

Optimize the document of Quark Script CWE-940#831
haeter525 merged 1 commit into
ev-flow:masterfrom
pulorsok:master

Conversation

@pulorsok

@pulorsok pulorsok commented Nov 21, 2025

Copy link
Copy Markdown
Member

CWE-940 Detection Process Using Quark Script API

Let’s use the above APIs to show how the Quark script finds this vulnerability.

To begin with, we create a detection rule named LoadUrlFromIntent.json to identify behavior that loads URLs from intent data to the WebView.

Next, we retrieve the methods that pass the URL. Then, we check if these methods are only for getting the URL, such as findViewById, getStringExtra, or getIntent.

If YES, it could imply that the APK uses communication channels without proper verification, which may cause CWE-940 vulnerability.

Quark Script: CWE-940.py

    from quark.script import runQuarkAnalysis, Rule

    SAMPLE_PATH = "ovaa.apk"
    RULE_PATH = "LoadUrlFromIntent.json"

    URL_GETTING_METHODS = [
        "findViewById",
        "getStringExtra",
        "getIntent",
    ]

    ruleInstance = Rule(RULE_PATH)

    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

    for behaviorInstance in quarkResult.behaviorOccurList:
        methodsInArgs = behaviorInstance.getMethodsInArgs()

        verifiedMethodCandidates = []

        for method in methodsInArgs:
            if method.methodName not in URL_GETTING_METHODS:
                verifiedMethodCandidates.append(method)

        if verifiedMethodCandidates == []:
            caller = behaviorInstance.methodCaller.fullName
            print(f"CWE-940 is detected in method, {caller}")

@codecov

codecov Bot commented Nov 21, 2025
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.16%. Comparing base (c57fa1d) to head (09476e9).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #831   +/-   ##
=======================================
  Coverage   81.16%   81.16%           
=======================================
  Files          75       75           
  Lines        6399     6399           
=======================================
  Hits         5194     5194           
  Misses       1205     1205
Flag Coverage Δ
unittests 81.16% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@haeter525 haeter525 self-requested a review November 21, 2025 13:50
haeter525
haeter525 approved these changes Nov 21, 2025
View reviewed changes

@haeter525 haeter525 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@haeter525 haeter525 added the documentation Improvements or additions to documentation label Nov 21, 2025
@haeter525 haeter525 merged commit 6d28c34 into ev-flow:master Nov 21, 2025
18 checks passed
@github-actions github-actions Bot mentioned this pull request Dec 1, 2025
Closed
@github-actions github-actions Bot mentioned this pull request May 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haeter525 haeter525 haeter525 approved these changes

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation pr-processing-state-05

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pulorsok @haeter525