Android Manifest Incomplete provider permissions initial commit

Initial work on checking provider elements in Android manifests for complete permissions.
2025-12-24 04:36:35 +01:00 · 2022-09-19 10:31:02 -04:00
parent 556e93ae68
commit 00891fa455
1 changed files with 23 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissions.ql
+++ b/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissions.ql
@@ -0,0 +1,23 @@
+/**
+ * @name Missing read or write permission configuration
+ * @description Defining an incomplete set of permissions
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.8
+ * @id java/android/incomplete-provider-permissions
+ * @tags security
+ *       external/cwe/cwe-276
+ * @precision medium
+ */
+
+import java
+import semmle.code.xml.AndroidManifest
+
+from AndroidProviderXmlElement provider
+where
+  (
+    provider.getAnAttribute().(AndroidPermissionXmlAttribute).isWrite() or
+    provider.getAnAttribute().(AndroidPermissionXmlAttribute).isRead()
+  ) and
+  not provider.requiresPermissions()
+select provider, "Incomplete permissions"