Merge pull request #9983 from jcogs33/android-implicit-export

Java: query to detect implicitly exported Android components

java/ql/src/Security/CWE/CWE-926/ExampleBad.xml

@@ -0,0 +1,11 @@
+<manifest ... >
+    <application ...
+        <!-- BAD: this component is implicitly exported -->
+        <activity>
+            android:name=".Activity">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+            </intent-filter>
+        </activity>
+    </application>
+</manifest>

java/ql/src/Security/CWE/CWE-926/ExampleGood.xml

@@ -0,0 +1,12 @@
+<manifest ... >
+    <application ...
+        <!-- GOOD: this component is not exported due to 'android:exported' explicitly set to 'false'-->
+        <activity>
+            android:name=".Activity">
+            android:exported="false"
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+            </intent-filter>
+        </activity>
+    </application>
+</manifest>

java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.qhelp

@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>The Android manifest file defines configuration settings for Android applications.
+In this file, components can be declared with intent filters which specify what the components can do and what types
+of intents the components can respond to. If the <code>android:exported</code> attribute is omitted from the component
+when an intent filter is included, then the component will be implicitly exported.</p>
+
+<p>An implicitly exported component could allow for improper access to the component and its data.</p>
+
+</overview>
+<recommendation>
+
+<p>Explicitly set the <code>android:exported</code> attribute for every component or use permissions to limit access to the component.</p>
+
+</recommendation>
+<example>
+
+<p>In the example below, the <code>android:exported</code> attribute is omitted when an intent filter is used.</p>
+
+<sample src="ExampleBad.xml" />
+
+<p>A corrected version sets the <code>android:exported</code> attribute to <code>false</code>.</p>
+
+<sample src="ExampleGood.xml" />
+
+</example>
+<references>
+
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/manifest-intro">App Manifest Overview</a>.
+</li>
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/intent-filter-element">The &lt;intent-filter&gt; element</a>.
+</li>
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/activity-element#exported">The android:exported attribute</a>.
+</li>
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/activity-element#prmsn">The android:permission attribute</a>.
+</li>
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/about/versions/12/behavior-changes-12#exported">Safer component exporting</a>.
+</li>
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Implicitly exported Android component
+ * @description Android components with an '<intent-filter>' and no 'android:exported' attribute are implicitly exported, which can allow for improper access to the components themselves and to their data.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.2
+ * @id java/android/implicitly-exported-component
+ * @tags security
+ *       external/cwe/cwe-926
+ * @precision high
+ */
+
+import java
+import semmle.code.java.security.ImplicitlyExportedAndroidComponent
+
+from ImplicitlyExportedAndroidComponent impExpAndroidComp
+select impExpAndroidComp, "This component is implicitly exported."