third draft with category launcher and permission element excluded

2025-12-24 04:36:35 +01:00 · 2022-08-05 01:16:59 -04:00
parent 8d5bbc458f
commit a6ecac6e00
2 changed files with 58 additions and 11 deletions
--- a/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
+++ b/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
@@ -13,16 +13,56 @@
 import java
 import semmle.code.xml.AndroidManifest

-from AndroidComponentXmlElement compElem
+// FIRST DRAFT
+// from AndroidComponentXmlElement compElem
+// where
+//   not compElem.hasAttribute("exported") and
+//   compElem.getAChild().hasName("intent-filter") and
+//   not compElem.hasAttribute("permission") and
+//   not compElem
+//       .getAnIntentFilterElement()
+//       .getAnActionElement()
+//       .getActionName()
+//       .matches("android.intent.action.MAIN") and // filter out anything that is android intent (e.g. don't just filter out MAIN) because I think those are fine (but need to look at docs to confirm)
+//   //not compElem.getAnIntentFilterElement().getAnActionElement().getActionName() = "android.intent.category.LAUNCHER" and // I should add this as well, but above will techincally filter out since they always seem to occur together
+//   not compElem.getFile().getRelativePath().matches("%build%") // switch to not isInBuildDirectory() once new predicate is merged into main
+// select compElem, "This component is implicitly exported."
+// SECOND DRAFT
+// from AndroidComponentXmlElement compElem
+// where
+//   // Does NOT have `exported` attribute
+//   not compElem.hasAttribute("exported") and
+//   // and DOES have an intent-filter (DOUBLE-CHECK THIS CODE AND CHECK AGAINST OTHER VERSIONS THAT SEEMED TO WORK THE SAME)
+//   compElem.getAChild().hasName("intent-filter") and // compElem.getAChild("intent-filter"); need hasComponent with exists(...) here?
+//   // and does NOT have `permission` attribute
+//   not compElem.hasAttribute("permission") and
+//   // and is NOT in build directory (NOTE: switch to not isInBuildDirectory() once new predicate is merged into main)
+//   not compElem.getFile().getRelativePath().matches("%build%") and
+//   // and does NOT have a LAUNCHER category, see docs: https://developer.android.com/about/versions/12/behavior-changes-12#exported
+//   // Constant Value: "android.intent.category.LAUNCHER" from https://developer.android.com/reference/android/content/Intent#CATEGORY_LAUNCHER
+//   // I think beloew is actually too coarse because there can be multiple intent-filters in one component, so 2nd intent-filter without the launcher
+//   // could maybe be an issue, e.g. https://github.com/microsoft/DynamicsWOM/blob/62c2dad4cbbd4496a55aa3f644336044105bb1c1/app/src/main/AndroidManifest.xml#L56-L66
+//   not compElem.getAnIntentFilterElement().getAChild("category").getAttributeValue("name") =
+//     "android.intent.category.LAUNCHER" // double-check this code (especially use of getAChild and pattern match with LAUNCHER (e.g. should I do .%LAUNCHER instead?--No, constant value per docs), etc.), and definitely need to add stuff to library for this; should use exists(...) here?
+// select compElem, "This component is implicitly exported."
+// THIRD DRAFT
+from AndroidComponentXmlElement compElem, AndroidManifestXmlElement manifestElem
 where
+  // Does NOT have `exported` attribute
  not compElem.hasAttribute("exported") and
-  compElem.getAChild().hasName("intent-filter") and
+  // and DOES have an intent-filter (DOUBLE-CHECK THIS CODE AND CHECK AGAINST OTHER VERSIONS THAT SEEMED TO WORK THE SAME)
+  compElem.getAChild().hasName("intent-filter") and // compElem.getAChild("intent-filter"); need hasComponent with exists(...) here?
+  // and does NOT have `permission` attribute
  not compElem.hasAttribute("permission") and
-  not compElem
-      .getAnIntentFilterElement()
-      .getAnActionElement()
-      .getActionName()
-      .matches("android.intent.action.%") and // filter out anything that is android intent (e.g. don't just filter out MAIN) because I think those are fine (but need to look at docs to confirm)
-  //not compElem.getAnIntentFilterElement().getAnActionElement().getActionName() = "android.intent.category.LAUNCHER" and // I should add this as well, but above will techincally filter out since they always seem to occur together
-  not compElem.getFile().getRelativePath().matches("%build%") // switch to not isInBuildDirectory() once new predicate is merged into main
+  // and is NOT in build directory (NOTE: switch to not isInBuildDirectory() once new predicate is merged into main)
+  not compElem.getFile().getRelativePath().matches("%build%") and
+  // and does NOT have a LAUNCHER category, see docs: https://developer.android.com/about/versions/12/behavior-changes-12#exported
+  // Constant Value: "android.intent.category.LAUNCHER" from https://developer.android.com/reference/android/content/Intent#CATEGORY_LAUNCHER
+  // I think beloew is actually filtering out too much because there can be multiple intent-filters in one component, so 2nd intent-filter without the launcher
+  // could maybe be an issue, e.g. https://github.com/microsoft/DynamicsWOM/blob/62c2dad4cbbd4496a55aa3f644336044105bb1c1/app/src/main/AndroidManifest.xml#L56-L66
+  not compElem.getAnIntentFilterElement().getAChild("category").getAttributeValue("name") =
+    "android.intent.category.LAUNCHER" and // double-check this code (especially use of getAChild and pattern match with LAUNCHER (e.g. should I do .%LAUNCHER instead?--No, constant value per docs), etc.), and definitely need to add stuff to library for this; should use exists(...) here?
+  // and NO <permission> element in manifest file since that will be applied to the component even if no `permission` attribute directly
+  // set on component per the docs:
+  not manifestElem.getAChild().hasName("permission")
 select compElem, "This component is implicitly exported."