hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
This commit is contained in:
Anders Schack-Mulligen
2021-10-26 14:04:13 +02:00
committed by GitHub
parent 6dac86b9be
commit ba95d46ec3
4 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.qhelp
View File

@@ -2,20 +2,20 @@
<qhelp>
<overview>
<p>When an implicit intent is used with a method such as <code>startActivity</code>, <code>startService</code>, or <code>sendBroadcast</code>, it may be read by other applications on the device.</p>
<p>This means that sensitive data in these intents may be leaked.</p>
<p>When an implicit Intent is used with a method such as <code>startActivity</code>, <code>startService</code>, or <code>sendBroadcast</code>, it may be read by other applications on the device.</p>
<p>This means that sensitive data in these Intents may be leaked.</p>
</overview>
<recommendation>
<p>
For <code>sendBroadcast</code> methods, a receiver permission may be specified so that only applications with a certain permission may receive the intent;
For <code>sendBroadcast</code> methods, a receiver permission may be specified so that only applications with a certain permission may receive the Intent;
or a <code>LocalBroadcastManager</code> may be used.
Otherwise, ensure that intents containing sensitive data have an explicit receiver class set.
Otherwise, ensure that Intents containing sensitive data have an explicit receiver class set.
</p>
</recommendation>
<example>
<p>The following example shows two ways of broadcasting intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.</p>
<p>The following example shows two ways of broadcasting Intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.</p>
<sample src="SensitiveCommunication.java" />
</example>

4
java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql
View File

@@ -1,6 +1,6 @@
/**
* @name Leaking sensitive information through an implicit intent
* @description An Android application uses implicit intents containing sensitive data
* @name Leaking sensitive information through an implicit Intent
* @description An Android application uses implicit Intents containing sensitive data
* in a way that exposes it to arbitrary applications on the device.
* @kind path-problem
* @problem.severity warning