Sensitive broadcast

2026-04-28 10:15:14 +02:00 · 2020-10-19 16:16:13 +00:00
parent 4ce41854a4
commit 2c2aab6ffc
8 changed files with 330 additions and 0 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
@@ -0,0 +1,24 @@
+edges
+| SensitiveBroadcast.java:11:34:11:38 | token : String | SensitiveBroadcast.java:13:31:13:36 | intent |
+| SensitiveBroadcast.java:12:41:12:52 | refreshToken : String | SensitiveBroadcast.java:13:31:13:36 | intent |
+| SensitiveBroadcast.java:23:33:23:40 | username : String | SensitiveBroadcast.java:25:31:25:36 | intent |
+| SensitiveBroadcast.java:24:32:24:39 | password : String | SensitiveBroadcast.java:25:31:25:36 | intent |
+| SensitiveBroadcast.java:36:40:36:47 | username : String | SensitiveBroadcast.java:39:31:39:36 | intent |
+| SensitiveBroadcast.java:37:39:37:46 | password : String | SensitiveBroadcast.java:39:31:39:36 | intent |
+nodes
+| SensitiveBroadcast.java:11:34:11:38 | token : String | semmle.label | token : String |
+| SensitiveBroadcast.java:12:41:12:52 | refreshToken : String | semmle.label | refreshToken : String |
+| SensitiveBroadcast.java:13:31:13:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:23:33:23:40 | username : String | semmle.label | username : String |
+| SensitiveBroadcast.java:24:32:24:39 | password : String | semmle.label | password : String |
+| SensitiveBroadcast.java:25:31:25:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:36:40:36:47 | username : String | semmle.label | username : String |
+| SensitiveBroadcast.java:37:39:37:46 | password : String | semmle.label | password : String |
+| SensitiveBroadcast.java:39:31:39:36 | intent | semmle.label | intent |
+#select
+| SensitiveBroadcast.java:13:31:13:36 | intent | SensitiveBroadcast.java:11:34:11:38 | token : String | SensitiveBroadcast.java:13:31:13:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:11:34:11:38 | token | sensitive information |
+| SensitiveBroadcast.java:13:31:13:36 | intent | SensitiveBroadcast.java:12:41:12:52 | refreshToken : String | SensitiveBroadcast.java:13:31:13:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:12:41:12:52 | refreshToken | sensitive information |
+| SensitiveBroadcast.java:25:31:25:36 | intent | SensitiveBroadcast.java:23:33:23:40 | username : String | SensitiveBroadcast.java:25:31:25:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:23:33:23:40 | username | sensitive information |
+| SensitiveBroadcast.java:25:31:25:36 | intent | SensitiveBroadcast.java:24:32:24:39 | password : String | SensitiveBroadcast.java:25:31:25:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:24:32:24:39 | password | sensitive information |
+| SensitiveBroadcast.java:39:31:39:36 | intent | SensitiveBroadcast.java:36:40:36:47 | username : String | SensitiveBroadcast.java:39:31:39:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:36:40:36:47 | username | sensitive information |
+| SensitiveBroadcast.java:39:31:39:36 | intent | SensitiveBroadcast.java:37:39:37:46 | password : String | SensitiveBroadcast.java:39:31:39:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:37:39:37:46 | password | sensitive information |
--- a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.java
@@ -0,0 +1,66 @@
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+
+class SensitiveBroadcast {
+
+    //Tests broadcast of access token with intent extra.
+    public void sendBroadcast1(Context context, String token, String refreshToken) {
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("token", token);
+        intent.putExtra("refreshToken", refreshToken);
+        context.sendBroadcast(intent);
+    }
+
+    //Tests broadcast of sensitive user information with intent extra.
+    public void sendBroadcast2(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("name", username);
+        intent.putExtra("pwd", password);
+        context.sendBroadcast(intent);
+    }
+
+    //Tests broadcast of sensitive user information with extra bundle.
+    public void sendBroadcast3(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        Bundle bundle = new Bundle();
+        bundle.putCharSequence("name", username);
+        bundle.putCharSequence("pwd", password);
+        intent.putExtras(bundle);
+        context.sendBroadcast(intent);
+    }    
+
+    //Tests broadcast of sensitive user information with permission.
+    public void sendBroadcast4(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("name", username);
+        intent.putExtra("pwd", password);
+        context.sendBroadcast(intent, "com.example.user_permission");
+    }
+
+    //Tests broadcast of sensitive user information to a specific application.
+    public void sendBroadcast5(Context context) {
+        String username = "test123";
+        String password = "abc12345";
+    
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.setClassName("com.example2", "com.example2.UserInfoHandler");
+        intent.putExtra("name", username);
+        intent.putExtra("pwd", password);
+        context.sendBroadcast(intent);
+    }    
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-927/SensitiveBroadcast.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-927/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-927/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0
--- a/java/ql/test/stubs/google-android-9.0.0/android/content/Intent.java
+++ b/java/ql/test/stubs/google-android-9.0.0/android/content/Intent.java
@@ -1996,4 +1996,77 @@ public class Intent implements Parcelable, Cloneable {

    public void readFromParcel(Parcel in) {
    }
+
+    /**
+     * Retrieve the application package name this Intent is limited to.  When
+     * resolving an Intent, if non-null this limits the resolution to only
+     * components in the given application package.
+     *
+     * @return The name of the application package for the Intent.
+     *
+     * @see #resolveActivity
+     * @see #setPackage
+     */
+    public String getPackage() {
+        return null;
+    }
+
+    /**
+     * (Usually optional) Set an explicit application package name that limits
+     * the components this Intent will resolve to.  If left to the default
+     * value of null, all components in all applications will considered.
+     * If non-null, the Intent can only match the components in the given
+     * application package.
+     *
+     * @param packageName The name of the application package to handle the
+     * intent, or null to allow any application package.
+     *
+     * @return Returns the same Intent object, for chaining multiple calls
+     * into a single statement.
+     *
+     * @see #getPackage
+     * @see #resolveActivity
+     */
+    public Intent setPackage(String packageName) {
+        return null;
+    }
+
+    /**
+     * Convenience for calling {@link #setComponent} with an
+     * explicit class name.
+     *
+     * @param packageContext A Context of the application package implementing
+     * this class.
+     * @param className The name of a class inside of the application package
+     * that will be used as the component for this Intent.
+     *
+     * @return Returns the same Intent object, for chaining multiple calls
+     * into a single statement.
+     *
+     * @see #setComponent
+     * @see #setClass
+     */
+    public Intent setClassName(Context packageContext, String className) {
+        return null;
+    }
+
+    /**
+     * Convenience for calling {@link #setComponent} with an
+     * explicit application package name and class name.
+     *
+     * @param packageName The name of the package implementing the desired
+     * component.
+     * @param className The name of a class inside of the application package
+     * that will be used as the component for this Intent.
+     *
+     * @return Returns the same Intent object, for chaining multiple calls
+     * into a single statement.
+     *
+     * @see #setComponent
+     * @see #setClass
+     */
+    public Intent setClassName(String packageName, String className) {
+        return null;
+    }
+
 }
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-927/SensitiveBroadcast.ql`
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0`