Incomplete Android content provider permissions documentation

2025-12-20 10:46:30 +01:00 · 2022-09-29 14:05:18 -04:00
parent e37f62bb5e
commit dedd29e1b3
5 changed files with 106 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissions.qhelp
+++ b/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissions.qhelp
@@ -0,0 +1,57 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>In the Android manifest file, an application's <code>provider</code> elements
+  define the permissions necessary to access a resource using that provider.
+  Permissions are specified with
+  the <code>android:readPermission</code>, <code>android:writePermission</code>,
+  or <code>android:permission</code> attributes. If an application only
+  specifies the <code>android:readPermission</code>
+  or <code>android:writePermission</code> attribute, no permissions will be
+  required to do other operations.
+</p>
+
+<p>Content providers should either define both the read and write permissions
+attributes, or define the general <code>android:permission</code> attribute.</p>
+</overview>
+
+<recommendation>
+  To prevent permission bypass, <code>provider</code> elements should either
+  specify both the <code>android:readPermission</code>
+  and <code>android:writePermission</code> attributes, or specify
+  the <code>android:permission</code> attribute.
+</recommendation>
+
+<example>
+
+  <p>In the following two (bad) examples, the provider is configured with only
+  read or write permissions.</p>
+
+  <sample src="ContentProviderIncompletePermissionsReadOnly.xml"/>
+
+  <sample src="ContentProviderIncompletePermissionsWriteOnly.xml"/>
+
+  <p>In the following (good) examples, the provider is configured with full permissions.</p>
+
+  <sample src="ContentProviderIncompletePermissionsReadWrite.xml"/>
+
+  <sample src="ContentProviderIncompletePermissionsFull.xml"/>
+</example>
+
+<references>
+<li>
+  Android Documentation:
+  <a href="https://developer.android.com/guide/topics/manifest/provider-element">Provider element</a>
+</li>
+<li>
+  CVE-2021-41166: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-41166">Insufficient
+  permission control in Nextcloud Android app</a>
+</li>
+<li>
+  GitHub Security Lab Research:
+  <a href="https://securitylab.github.com/advisories/GHSL-2021-1007-Nextcloud_Android_app/#issue-2-permission-bypass-in-disklruimagecachefileprovider-ghsl-2021-1008">Insufficient permission control in Nextcloud Android app</a>
+</li>
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissionsFull.xml
+++ b/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissionsFull.xml
@@ -0,0 +1,12 @@
+<manifest ... >
+    <application ...>
+      <!-- Good: 'android:permission' is set  -->
+      <provider
+          android:name=".MyContentProvider"
+          android:authorities="table"
+          android:enabled="true"
+          android:exported="true"
+          android:permission="android.permission.MANAGE_DOCUMENTS">
+      </provider>
+    </application>
+</manifest>
--- a/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissionsReadOnly.xml
+++ b/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissionsReadOnly.xml
@@ -0,0 +1,12 @@
+<manifest ... >
+    <application ...>
+      <!-- BAD: only 'android:readPermission' is set -->
+      <provider
+          android:name=".MyContentProvider"
+          android:authorities="table"
+          android:enabled="true"
+          android:exported="true"
+          android:readPermission="android.permission.MANAGE_DOCUMENTS">
+      </provider>
+    </application>
+</manifest>
--- a/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissionsReadWrite.xml
+++ b/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissionsReadWrite.xml
@@ -0,0 +1,13 @@
+<manifest ... >
+    <application ...>
+      <!-- Good: both 'android:readPermission' and 'android:writePermission' are set -->
+      <provider
+          android:name=".MyContentProvider"
+          android:authorities="table"
+          android:enabled="true"
+          android:exported="true"
+          android:writePermission="android.permission.MANAGE_DOCUMENTS"
+          android:readPermission="android.permission.MANAGE_DOCUMENTS">
+      </provider>
+    </application>
+</manifest>
--- a/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissionsWriteOnly.xml
+++ b/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissionsWriteOnly.xml
@@ -0,0 +1,12 @@
+<manifest ... >
+    <application ...>
+      <!-- BAD: only 'android:writePermission' is set -->
+      <provider
+          android:name=".MyContentProvider"
+          android:authorities="table"
+          android:enabled="true"
+          android:exported="true"
+          android:writePermission="android.permission.MANAGE_DOCUMENTS">
+      </provider>
+    </application>
+</manifest>