Add check for files which provide the app launcher

Adds support for filtering which applications include the `android.intent.action.MAIN` intent.
2025-12-24 04:36:35 +01:00 · 2022-08-30 12:54:26 -04:00
parent b5c54f5a3b
commit 500a6f3b86
2 changed files with 17 additions and 2 deletions
--- a/java/ql/lib/semmle/code/xml/AndroidManifest.qll
+++ b/java/ql/lib/semmle/code/xml/AndroidManifest.qll
@@ -98,6 +98,16 @@ class AndroidApplicationXmlElement extends XmlElement {
      attr.getValue() = "true"
    )
  }
+
+  predicate providesMainIntent() {
+    exists(AndroidActivityXmlElement activity |
+      activity = this.getAChild() and
+      exists(AndroidIntentFilterXmlElement intentFilter |
+        intentFilter = activity.getAChild() and
+        intentFilter.getAnActionElement().getActionName() = "android.intent.action.MAIN"
+      )
+    )
+  }
 }

 /**
--- a/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
+++ b/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
@@ -15,6 +15,11 @@ import semmle.code.xml.AndroidManifest

 from AndroidApplicationXmlElement androidAppElem
 where
-  androidAppElem.allowsBackup() and
-  androidAppElem.getFile().(AndroidManifestXmlFile).isInBuildDirectory()
+  not androidAppElem.getFile().(AndroidManifestXmlFile).isInBuildDirectory() and
+  (
+    androidAppElem.allowsBackupExplicitly()
+    or
+    androidAppElem.providesMainIntent() and
+    androidAppElem.allowsBackup()
+  )
 select androidAppElem, "The 'android:allowBackup' attribute is enabled."