hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add qhelp

Browse Source
This commit is contained in:
Tony Torralba
2021-11-11 09:54:14 +01:00
parent 6152c8a989
commit 3405db31b8
2 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.java Normal file
View File

@@ -0,0 +1,25 @@
public class IntentUriPermissionManipulation extends Activity {
// BAD: the user-provided Intent is returned as-is
public void dangerous() {
Intent intent = getIntent();
intent.putExtra("result", "resultData");
setResult(intent);
}
// GOOD: a new Intent is created and returned
public void safe() {
Intent intent = new Intent();
intent.putExtra("result", "resultData");
setResult(intent);
}
// GOOD: the user-provided Intent is sanitized before being returned
public void sanitized() {
Intent intent = getIntent();
intent.putExtra("result", "resultData");
intent.removeFlags(
Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_GRANT_READ_URI_PERMISSION);
setResult(intent);
}
}

34
java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.qhelp Normal file
View File

@@ -0,0 +1,34 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>When an Android component expects a result from an Activity, <code>startActivityForResult</code> can be used.
The started Activity can then use <code>setResult</code> to return the appropriate data to the calling component.</p>
<p>If an Activity obtains the incoming, user-provided Intent and directly returns it via <code>setResult</code>
without any checks, the application may be unintentionally giving arbitrary access to its Content Providers, even
if they are not exported, as long as they are configured with the attribute <code>android:grantUriPermissions="true"</code>.
This happens because the attacker adds the appropriate URI permission flags to the provided Intent, which take effect
once the Intent is reflected back.</p>
</overview>
<recommendation>
<p>Avoid returning user-provided or untrusted Intents via <code>setResult</code>. Use a new Intent instead.</p>
<p>If it is required to use the received Intent, make sure that it does not contain URI permission flags, either
by checking them with <code>Intent.getFlags</code> or removing them with <code>Intent.removeFlags</code>.</p>
</recommendation>
<example>
<p>The following sample contains three examples. In the first example, a user-provided Intent is obtained and
directly returned back with <code>setResult</code>, which is dangerous. In the second example, a new Intent
is created to safely return the desired data. The third example shows how the obtained Intent can be sanitized
by removing dangerous flags before using it to return data to the calling component.
</p>
<sample src="IntentUriPermissionManipulation.java" />
</example>
<references>
<li>Google Help: <a href="https://support.google.com/faqs/answer/9267555?hl=en">Remediation for Intent Redirection Vulnerability</a>.</li>
</references>
</qhelp>