From 10fa687e26008c5d4c39571a9afc92fe88becd12 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 5 Aug 2022 16:35:28 -0400 Subject: [PATCH] updated help file and unit tests --- .../src/Security/CWE/CWE-926/ExampleBad.xml | 11 ++++ .../src/Security/CWE/CWE-926/ExampleGood.xml | 12 +++++ .../ImplicitlyExportedAndroidComponent.qhelp | 33 +++++++----- .../security/CWE-926/AndroidManifest.xml | 21 +++++++- .../ImplicitlyExportedAndroidComponentTest.ql | 10 ++-- .../CWE-926/Testbuild/AndroidManifest.xml | 53 +++++++++++++++++++ 6 files changed, 118 insertions(+), 22 deletions(-) create mode 100644 java/ql/src/Security/CWE/CWE-926/ExampleBad.xml create mode 100644 java/ql/src/Security/CWE/CWE-926/ExampleGood.xml create mode 100644 java/ql/test/query-tests/security/CWE-926/Testbuild/AndroidManifest.xml diff --git a/java/ql/src/Security/CWE/CWE-926/ExampleBad.xml b/java/ql/src/Security/CWE/CWE-926/ExampleBad.xml new file mode 100644 index 00000000000..ec60406c460 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-926/ExampleBad.xml @@ -0,0 +1,11 @@ + + + + android:name=".Activity"> + + + + + + diff --git a/java/ql/src/Security/CWE/CWE-926/ExampleGood.xml b/java/ql/src/Security/CWE/CWE-926/ExampleGood.xml new file mode 100644 index 00000000000..f19184b8c13 --- /dev/null +++ b/java/ql/src/Security/CWE/CWE-926/ExampleGood.xml @@ -0,0 +1,12 @@ + + + + android:name=".Activity"> + android:exported="false" + + + + + + diff --git a/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.qhelp b/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.qhelp index 8cac72b1267..8aa88304c09 100644 --- a/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.qhelp +++ b/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.qhelp @@ -5,30 +5,27 @@

The Android manifest file defines configuration settings for Android applications. -In this file, the android:debuggable attribute of the application element can be used to -define whether or not the application can be debugged. When set to true, this attribute will allow the -application to be debugged even when running on a device in user mode.

+In this file, components can be declared with intent filters which specify the types of intents the component can respond to. +If the android:exported attribute is omitted from the component when an intent filter is included, +then the component will be implicitly exported.

-

When a debugger is enabled it could allow for entry points in the application or reveal sensitive information. -As a result, android:debuggable should only be enabled during development and should be disabled in -production builds.

+

An implicitly exported component could allow for improper access to the component and its data.

 -

In Android applications either set the android:debuggable attribute to false -or do not include it in the manifest. The default value when not included is false.

+

Explicitly set the android:exported attribute for every component or use permissions to limit access to the component.

 -

In the example below, the android:debuggable attribute is set to true.

+

In the example below, the component android:exported attribute is omitted when an intent filter is used.

- + -

The corrected version sets the android:debuggable attribute to false.

+

A corrected version sets the android:exported attribute to false.

- + @@ -39,11 +36,19 @@ or do not include it in the manifest. The default value when not included is
  • Android Developers: - The android:debuggable attribute. + intent-filter-element.
  • Android Developers: - Enable debugging. + The android:exported attribute. +
    • +
  • + Android Developers: + The android:permission attribute. +
    • +
  • + Android Developers: + Safer component exporting.
    • diff --git a/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml index 02b45fa4b61..d1ecefda4a1 100644 --- a/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml +++ b/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml @@ -12,7 +12,6 @@ android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/Theme.HappyBirthday" - android:permission="android.permission.SEND_SMS" tools:targetApi="31"> @@ -29,6 +28,26 @@ + + + + + + + + + + + + + + + diff --git a/java/ql/test/query-tests/security/CWE-926/ImplicitlyExportedAndroidComponentTest.ql b/java/ql/test/query-tests/security/CWE-926/ImplicitlyExportedAndroidComponentTest.ql index 1f63a048199..a8c9587ea49 100644 --- a/java/ql/test/query-tests/security/CWE-926/ImplicitlyExportedAndroidComponentTest.ql +++ b/java/ql/test/query-tests/security/CWE-926/ImplicitlyExportedAndroidComponentTest.ql @@ -9,13 +9,9 @@ class ImplicitlyExportedAndroidComponentTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasImplicitExport" and - exists(AndroidComponentXmlElement compElem, AndroidIntentFilterXmlElement intFiltElem | - not compElem.hasAttribute("exported") and - //compElem.getAnIntentFilterElement() instanceof AndroidIntentFilterXmlElement - not intFiltElem.getParent() = compElem - | - compElem.getLocation() = location and - element = compElem.toString() and + exists(AndroidComponentXmlElement compElement | compElement.isImplicitlyExported() | + compElement.getLocation() = location and + element = compElement.toString() and value = "" ) } diff --git a/java/ql/test/query-tests/security/CWE-926/Testbuild/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-926/Testbuild/AndroidManifest.xml new file mode 100644 index 00000000000..70896921295 --- /dev/null +++ b/java/ql/test/query-tests/security/CWE-926/Testbuild/AndroidManifest.xml @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +