Merge pull request #3812 from luchua-bc/java-android-remote-source

Java: Add remote source of Android intent extra
2026-02-28 21:03:50 +01:00 · 2020-11-03 09:35:40 +01:00
parent 82f37e97c8 864411b4b9
commit 89361a3b75
25 changed files with 1065 additions and 41 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -16,6 +16,7 @@ import semmle.code.java.frameworks.android.XmlParsing
 import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.WebSocket
+import semmle.code.java.frameworks.android.Android
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.spring.SpringWeb
 import semmle.code.java.frameworks.spring.SpringController
@@ -323,15 +324,26 @@ class ReverseDNSMethod extends Method {

 /** Android `Intent` that may have come from a hostile application. */
 class AndroidIntentInput extends DataFlow::Node {
+  Type receiverType;
+
  AndroidIntentInput() {
    exists(MethodAccess ma, AndroidGetIntentMethod m |
      ma.getMethod().overrides*(m) and
-      this.asExpr() = ma
+      this.asExpr() = ma and
+      receiverType = ma.getReceiverType()
    )
    or
    exists(Method m, AndroidReceiveIntentMethod rI |
      m.overrides*(rI) and
-      this.asParameter() = m.getParameter(1)
+      this.asParameter() = m.getParameter(1) and
+      receiverType = m.getDeclaringType()
    )
  }
 }
+
+/** Exported Android `Intent` that may have come from a hostile application. */
+class ExportedAndroidIntentInput extends RemoteFlowSource, AndroidIntentInput {
+  ExportedAndroidIntentInput() { receiverType.(ExportableAndroidComponent).isExported() }
+
+  override string getSourceType() { result = "Exported Android intent source" }
+}
--- a/java/ql/src/semmle/code/java/frameworks/android/Android.qll
+++ b/java/ql/src/semmle/code/java/frameworks/android/Android.qll
@@ -30,25 +30,42 @@ class AndroidComponent extends Class {
  predicate hasIntentFilter() { exists(getAndroidComponentXmlElement().getAnIntentFilterElement()) }
 }

+/**
+ * An Android component that can be explicitly or implicitly exported.
+ */
+class ExportableAndroidComponent extends AndroidComponent {
+  /**
+   * Holds if this Android component is configured as `exported` or has intent
+   * filters configured without `exported` explicitly disabled in an
+   * `AndroidManifest.xml` file.
+   */
+  override predicate isExported() {
+    getAndroidComponentXmlElement().isExported()
+    or
+    hasIntentFilter() and
+    not getAndroidComponentXmlElement().isNotExported()
+  }
+}
+
 /** An Android activity. */
-class AndroidActivity extends AndroidComponent {
+class AndroidActivity extends ExportableAndroidComponent {
  AndroidActivity() { this.getASupertype*().hasQualifiedName("android.app", "Activity") }
 }

 /** An Android service. */
-class AndroidService extends AndroidComponent {
+class AndroidService extends ExportableAndroidComponent {
  AndroidService() { this.getASupertype*().hasQualifiedName("android.app", "Service") }
 }

 /** An Android broadcast receiver. */
-class AndroidBroadcastReceiver extends AndroidComponent {
+class AndroidBroadcastReceiver extends ExportableAndroidComponent {
  AndroidBroadcastReceiver() {
    this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver")
  }
 }

 /** An Android content provider. */
-class AndroidContentProvider extends AndroidComponent {
+class AndroidContentProvider extends ExportableAndroidComponent {
  AndroidContentProvider() {
    this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
  }
--- a/java/ql/src/semmle/code/java/frameworks/android/Intent.qll
+++ b/java/ql/src/semmle/code/java/frameworks/android/Intent.qll
@@ -42,3 +42,13 @@ class IntentGetExtraMethod extends Method, TaintPreservingCallable {

  override predicate returnsTaintFrom(int arg) { arg = -1 }
 }
+
+/** A getter on `android.os.BaseBundle` or `android.os.Bundle`. */
+class BundleGetterMethod extends Method, TaintPreservingCallable {
+  BundleGetterMethod() {
+    getDeclaringType().hasQualifiedName("android.os", ["BaseBundle", "Bundle"]) and
+    getName().matches("get%")
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = -1 }
+}
--- a/java/ql/src/semmle/code/xml/AndroidManifest.qll
+++ b/java/ql/src/semmle/code/xml/AndroidManifest.qll
@@ -137,6 +137,11 @@ class AndroidComponentXmlElement extends XMLElement {
   * Holds if the `android:exported` attribute of this component element is `true`.
   */
  predicate isExported() { getExportedAttributeValue() = "true" }
+
+  /**
+   * Holds if the `android:exported` attribute of this component element is explicitly set to `false`.
+   */
+  predicate isNotExported() { getExportedAttributeValue() = "false" }
 }

 /**