Merge pull request #8669 from joefarebrother/intent-verification

Java: Add query for Improper Verification of Intent by Broadcast Receiver (CWE-925)

java/ql/test/query-tests/security/CWE-925/AndroidManifest.xml

@@ -0,0 +1,9 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="test">
+    <application>
+        <receiver android:name=".BootReceiverXml">
+            <intent-filter>
+                <action android:name="android.intent.action.BOOT_COMPLETED" />
+            </intent-filter>
+        </receiver>
+    </application>
+</manifest>

java/ql/test/query-tests/security/CWE-925/BootReceiverXml.java

@@ -0,0 +1,13 @@
+package test;
+import android.content.Intent;
+import android.content.Context;
+import android.content.BroadcastReceiver;
+
+class BootReceiverXml extends BroadcastReceiver {
+    void doStuff(Intent intent) {}
+
+    @Override 
+    public void onReceive(Context ctx, Intent intent) { // $hasResult
+        doStuff(intent);
+    }
+}

java/ql/test/query-tests/security/CWE-925/ImproperIntentVerification.ql

@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.ImproperIntentVerificationQuery
+import TestUtilities.InlineExpectationsTest
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasResult" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasResult" and
+    exists(Method orm | unverifiedSystemReceiver(_, orm, _) |
+      orm.getLocation() = location and
+      element = orm.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-925/options

@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0