Merge pull request #8669 from joefarebrother/intent-verification

Java: Add query for Improper Verification of Intent by Broadcast Receiver (CWE-925)

java/ql/src/Security/CWE/CWE-925/AndroidManifest.xml

@@ -0,0 +1,9 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="test">
+    <application>
+        <receiver android:name=".BootReceiverXml">
+            <intent-filter>
+                <action android:name="android.intent.action.BOOT_COMPLETED" />
+            </intent-filter>
+        </receiver>
+    </application>
+</manifest>

java/ql/src/Security/CWE/CWE-925/Bad.java

@@ -0,0 +1,7 @@
+public class ShutdownReceiver extends BroadcastReceiver {
+    @Override
+    public void onReceive(final Context context, final Intent intent) {
+        mainActivity.saveLocalData();
+        mainActivity.stopActivity();
+    }
+}

java/ql/src/Security/CWE/CWE-925/Good.java

@@ -0,0 +1,10 @@
+public class ShutdownReceiver extends BroadcastReceiver {
+    @Override
+    public void onReceive(final Context context, final Intent intent) {
+        if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {
+            return;
+        }
+        mainActivity.saveLocalData();
+        mainActivity.stopActivity();
+    }
+}

java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.qhelp

@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+
+<qhelp>
+
+<overview>
+<p>
+When an Android application uses a <code>BroadcastReceiver</code> to receive intents, 
+it is also able to receive explicit intents that are sent directly to it, regardless of its filter.
+
+Certain intent actions are only able to be sent by the operating system, not third-party applications. 
+However, a <code>BroadcastReceiver</code> that is registered to receive system intents is still able to receive 
+intents from a third-party application, so it should check that the intent received has the expected action.
+Otherwise, a third-party application could impersonate the system this way to cause unintended behavior, such as a denial of service.
+</p>
+</overview>
+
+<example>
+  <p>In the following code, the <code>ShutdownReceiver</code> initiates a shutdown procedure upon receiving an intent, 
+  without checking that the received action is indeed <code>ACTION_SHUTDOWN</code>. This allows third-party applications to 
+  send explicit intents to this receiver to cause a denial of service.</p>
+<sample src="Bad.java" />
+<sample src="AndroidManifest.xml" />
+</example>
+
+<recommendation>
+<p>
+In the <code>onReceive</code> method of a <code>BroadcastReciever</code>, the action of the received Intent should be checked. The following code demonstrates this.
+</p>
+<sample src="Good.java" />
+</recommendation>
+
+
+
+<references>
+
+</references>
+
+</qhelp>

java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Improper verification of intent by broadcast receiver
+ * @description A broadcast receiver that does not verify intents it receives may be susceptible to unintended behavior by third party applications sending it explicit intents.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.2
+ * @precision high
+ * @id java/improper-intent-verification
+ * @tags security
+ *       external/cwe/cwe-925
+ */
+
+import java
+import semmle.code.java.security.ImproperIntentVerificationQuery
+
+from AndroidReceiverXmlElement reg, Method orm, SystemActionName sa
+where unverifiedSystemReceiver(reg, orm, sa)
+select orm, "This reciever doesn't verify intents it receives, and is registered $@ to receive $@.",
+  reg, "here", sa, "the system action " + sa.getName()

java/ql/src/change-notes/2022-04-27-intent-verification.md

@@ -0,0 +1,6 @@
+---
+category: newQuery
+---
+* A new query "Improper verification of intent by broadcast receiver" (`java/improper-intent-verification`) has been added. 
+This query finds instances of Android `BroadcastReceiver`s that don't verify the action string of received intents when registered
+to receive system intents.