Merge pull request #11713 from joefarebrother/sensitive-result-receiver

Java: Add query for leaking sensitive data through a ResultReceiver
2026-04-29 10:45:15 +02:00 · 2023-02-01 16:34:17 +00:00
parent 96ee0f68b0 834fc51a3a
commit 97b2e852c9
8 changed files with 157 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.java
+++ b/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.java
@@ -0,0 +1,8 @@
+// BAD: Sensitive data is sent to an untrusted result receiver 
+void bad(String password) {
+    Intent intent = getIntent();
+    ResultReceiver rec = intent.getParcelableExtra("Receiver");
+    Bundle b = new Bundle();
+    b.putCharSequence("pass", password);
+    rec.send(0, b); 
+}
--- a/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.qhelp
+++ b/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.qhelp
@@ -0,0 +1,22 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>If a <code>ResultReceiver</code> is obtained from an untrusted source, such as an <code>Intent</code> received by an exported component, 
+    do not send it sensitive data. Otherwise, the information may be leaked to a malicious application.</p>
+  </overview>
+
+  <recommendation>
+    <p> 
+      Do not send sensitive data to an untrusted <code>ResultReceiver</code>.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>In the following (bad) example, sensitive data is sent to an untrusted <code>ResultReceiver</code>. </p>
+    <sample src="SensitiveResultReceiver.java" />
+  </example>
+
+  <references>
+  </references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql
+++ b/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Leaking sensitive information through a ResultReceiver
+ * @description Sending sensitive data to a 'ResultReceiver' obtained from an untrusted source
+ *              can allow malicious actors access to your information.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.2
+ * @precision medium
+ * @id java/android/sensitive-result-receiver
+ * @tags security
+ *       external/cwe/cwe-927
+ */
+
+import java
+import semmle.code.java.security.SensitiveResultReceiverQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode src, DataFlow::PathNode sink, DataFlow::Node recSrc
+where sensitiveResultReceiver(src, sink, recSrc)
+select sink, src, sink, "This $@ is sent to a ResultReceiver obtained from $@.", src,
+  "sensitive information", recSrc, "this untrusted source"
--- a/java/ql/src/change-notes/2023-01-12-sensitive-result-receiver.md
+++ b/java/ql/src/change-notes/2023-01-12-sensitive-result-receiver.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `java/android/sensitive-result-receiver`, to find instances of sensitive data being leaked to an untrusted `ResultReceiver`.