Merge pull request #11915 from egregius313/egregius313/arbitrary-apk-installation

Java: Arbitrary APK installation
2026-04-27 17:55:19 +02:00 · 2023-03-14 06:23:51 -04:00
parent dd0723c36b 59eea2a4a3
commit de1ecf943e
12 changed files with 459 additions and 1 deletions
--- a/java/ql/test/query-tests/security/CWE-094/ApkInstallation.java
+++ b/java/ql/test/query-tests/security/CWE-094/ApkInstallation.java
@@ -0,0 +1,58 @@
+import android.app.Activity;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Environment;
+
+import java.io.File;
+
+public class ApkInstallation extends Activity {
+    static final String APK_MIMETYPE = "application/vnd.android.package-archive";
+
+    public void installAPK(String path) {
+        // BAD: the path is not checked
+        Intent intent = new Intent(Intent.ACTION_VIEW);
+        intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ hasApkInstallation
+        startActivity(intent);
+    }
+
+    public void installAPK3(String path) {
+        Intent intent = new Intent(Intent.ACTION_VIEW);
+        intent.setType(APK_MIMETYPE);
+        // BAD: the path is not checked
+        intent.setData(Uri.fromFile(new File(path))); // $ hasApkInstallation
+        startActivity(intent);
+    }
+
+    public void installAPKFromExternalStorage(String path) {
+        // BAD: file is from external storage
+        File file = new File(Environment.getExternalStorageDirectory(), path);
+        Intent intent = new Intent(Intent.ACTION_VIEW);
+        intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ hasApkInstallation
+        startActivity(intent);
+    }
+
+    public void installAPKFromExternalStorageWithActionInstallPackage(String path) {
+        // BAD: file is from external storage
+        File file = new File(Environment.getExternalStorageDirectory(), path);
+        Intent intent = new Intent(Intent.ACTION_INSTALL_PACKAGE);
+        intent.setData(Uri.fromFile(file)); // $ hasApkInstallation
+        startActivity(intent);
+    }
+
+    public void installAPKInstallPackageLiteral(String path) {
+        File file = new File(Environment.getExternalStorageDirectory(), path);
+        Intent intent = new Intent("android.intent.action.INSTALL_PACKAGE");
+        intent.setData(Uri.fromFile(file)); // $ hasApkInstallation
+        startActivity(intent);
+    }
+
+    public void otherIntent(File file) {
+        Intent intent = new Intent(this, OtherActivity.class);
+        intent.setAction(Intent.ACTION_VIEW);
+        // BAD: the file is from unknown source
+        intent.setData(Uri.fromFile(file)); // $ hasApkInstallation
+    }
+}
+
+class OtherActivity extends Activity {
+}
--- a/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.expected
+++ b/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.expected
--- a/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.ql
+++ b/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.ql
@@ -0,0 +1,19 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.ArbitraryApkInstallationQuery
+import TestUtilities.InlineExpectationsTest
+
+class HasApkInstallationTest extends InlineExpectationsTest {
+  HasApkInstallationTest() { this = "HasApkInstallationTest" }
+
+  override string getARelevantTag() { result = "hasApkInstallation" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasApkInstallation" and
+    exists(DataFlow::Node sink | ApkInstallationFlow::hasFlowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-094/options
+++ b/java/ql/test/query-tests/security/CWE-094/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api:${testdir}/../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../stubs/jinjava-2.6.0:${testdir}/../../../stubs/pebble-3.1.5:${testdir}/../../../stubs/thymeleaf-3.0.14:${testdir}/../../../stubs/apache-velocity-2.3
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/validation-api-2.0.1.Final:${testdir}/../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/apache-commons-jexl-2.1.1:${testdir}/../../../stubs/apache-commons-jexl-3.1:${testdir}/../../../stubs/apache-commons-logging-1.2:${testdir}/../../../stubs/mvel2-2.4.7:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/scriptengine:${testdir}/../../../stubs/jsr223-api:${testdir}/../../../stubs/apache-freemarker-2.3.31:${testdir}/../../../stubs/jinjava-2.6.0:${testdir}/../../../stubs/pebble-3.1.5:${testdir}/../../../stubs/thymeleaf-3.0.14:${testdir}/../../../stubs/apache-velocity-2.3:${testdir}/../../..//stubs/google-android-9.0.0