hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

updated help file and unit tests

Browse Source
This commit is contained in:
Jami Cogswell
2022-08-05 16:35:28 -04:00
parent eea1089ee0
commit 10fa687e26
6 changed files with 118 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
java/ql/src/Security/CWE/CWE-926/ExampleBad.xml Normal file
View File

@@ -0,0 +1,11 @@
<manifest ... >
<application ...
<!-- BAD: this component is implicitly exported -->
<activity>
android:name=".Activity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
</intent-filter>
</activity>
</application>
</manifest>

12
java/ql/src/Security/CWE/CWE-926/ExampleGood.xml Normal file
View File

@@ -0,0 +1,12 @@
<manifest ... >
<application ...
<!-- GOOD: this component is not exported due to 'android:exported' explicitly set to 'false'-->
<activity>
android:name=".Activity">
android:exported="false"
<intent-filter>
<action android:name="android.intent.action.VIEW" />
</intent-filter>
</activity>
</application>
</manifest>

33
java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.qhelp
View File

@@ -5,30 +5,27 @@
<overview>
<p>The Android manifest file defines configuration settings for Android applications.
In this file, the <code>android:debuggable</code> attribute of the <code>application</code> element can be used to
define whether or not the application can be debugged. When set to <code>true</code>, this attribute will allow the
application to be debugged even when running on a device in user mode.</p>
In this file, components can be declared with intent filters which specify the types of intents the component can respond to.
If the <code>android:exported</code> attribute is omitted from the component when an intent filter is included,
then the component will be implicitly exported.</p>
<p>When a debugger is enabled it could allow for entry points in the application or reveal sensitive information.
As a result, <code>android:debuggable</code> should only be enabled during development and should be disabled in
production builds.</p>
<p>An implicitly exported component could allow for improper access to the component and its data.</p>
</overview>
<recommendation>
<p>In Android applications either set the <code>android:debuggable</code> attribute to <code>false</code>
or do not include it in the manifest. The default value when not included is <code>false</code>.</p>
<p>Explicitly set the <code>android:exported</code> attribute for every component or use permissions to limit access to the component.</p>
</recommendation>
<example>
<p>In the example below, the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>
<p>In the example below, the component <code>android:exported</code> attribute is omitted when an intent filter is used.</p>
<!--<sample src="DebuggableTrue.xml" />-->
<sample src="ExampleBad.xml" />
<p>The corrected version sets the <code>android:debuggable</code> attribute to <code>false</code>.</p>
<p>A corrected version sets the <code>android:exported</code> attribute to <code>false</code>.</p>
<!--<sample src="DebuggableFalse.xml" />-->
<sample src="ExampleGood.xml" />
</example>
<references>
@@ -39,11 +36,19 @@ or do not include it in the manifest. The default value when not included is <co
</li>
<li>
Android Developers:
<a href="https://developer.android.com/guide/topics/manifest/application-element#debug">The android:debuggable attribute</a>.
<a href="https://developer.android.com/guide/topics/manifest/intent-filter-element">intent-filter-element</a>.
</li>
<li>
Android Developers:
<a href="https://developer.android.com/studio/debug#enable-debug">Enable debugging</a>.
<a href="https://developer.android.com/guide/topics/manifest/activity-element#exported">The android:exported attribute</a>.
</li>
<li>
Android Developers:
<a href="https://developer.android.com/guide/topics/manifest/activity-element#prmsn">The android:permission attribute</a>.
</li>
<li>
Android Developers:
<a href="https://developer.android.com/about/versions/12/behavior-changes-12#exported">Safer component exporting</a>.
</li>
</references>

21
java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml
View File

@@ -12,7 +12,6 @@
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/Theme.HappyBirthday"
android:permission="android.permission.SEND_SMS"
tools:targetApi="31"> <!-- test -->
<!-- Safe: category LAUNCHER --> <activity
android:name=".MainActivity">
@@ -29,6 +28,26 @@
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
<!-- Safe: 'android:exported' explicitly set --> <activity
android:name=".MainActivity"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
<!-- Safe: no intent filter --> <activity
android:name=".MainActivity">
</activity>
<!-- Safe: has 'permission' attribute --> <activity
android:name=".MainActivity"
android:permission=".Test">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
</application>
</manifest>

10
java/ql/test/query-tests/security/CWE-926/ImplicitlyExportedAndroidComponentTest.ql
View File

@@ -9,13 +9,9 @@ class ImplicitlyExportedAndroidComponentTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasImplicitExport" and
exists(AndroidComponentXmlElement compElem, AndroidIntentFilterXmlElement intFiltElem |
not compElem.hasAttribute("exported") and
//compElem.getAnIntentFilterElement() instanceof AndroidIntentFilterXmlElement
not intFiltElem.getParent() = compElem
|
compElem.getLocation() = location and
element = compElem.toString() and
exists(AndroidComponentXmlElement compElement | compElement.isImplicitlyExported() |
compElement.getLocation() = location and
element = compElement.toString() and
value = ""
)
}

53
java/ql/test/query-tests/security/CWE-926/Testbuild/AndroidManifest.xml Normal file
View File

@@ -0,0 +1,53 @@
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
package="com.example.happybirthday">
<application
android:allowBackup="true"
android:dataExtractionRules="@xml/data_extraction_rules"
android:fullBackupContent="@xml/backup_rules"
android:icon="@mipmap/ic_launcher"
android:label="@string/app_name"
android:roundIcon="@mipmap/ic_launcher_round"
android:supportsRtl="true"
android:theme="@style/Theme.HappyBirthday"
tools:targetApi="31"> <!-- test -->
<!-- Safe: category LAUNCHER --> <activity
android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<!-- Safe: in build directory --> <activity
android:name=".MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
<!-- Safe: 'android:exported' explicitly set --> <activity
android:name=".MainActivity"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
<!-- Safe: no intent filter --> <activity
android:name=".MainActivity">
</activity>
<!-- Safe: has 'permission' attribute --> <activity
android:name=".MainActivity"
android:permission=".Test">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
</intent-filter>
</activity>
</application>
</manifest>