Renamed to AndroidIntentRedirection

Added qhelp

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirect.qhelp

@@ -1,18 +0,0 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-<qhelp>
-    <overview>
-        <p></p>
-    </overview>
-    <recommendation>
-        <p></p>
-    </recommendation>
-    <example>
-        <p></p>
-        <sample src="" />
-    </example>
-    <references>
-        <li>
-            <a href=""></a>
-        </li>
-    </references>
-</qhelp>

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.qhelp

@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>An exported Android component that obtains a user-provided Intent and uses it to launch another component
+        can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components
+        in behalf of the victim app.</p>
+    </overview>
+    <recommendation>
+        <p>Do not export compontents that start other components from a user-provided Intent. 
+        They can be made private by setting the `android:exported` property to `false` in the app's Android Manifest.</p>
+        <p>If this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.</p>
+    </recommendation>
+    <example>
+        <p>The following snippet contains two examples.
+        In the first example, an arbitrary component can be started from the externally provided `forward_intent` Intent.
+        In the second example, the destination component of the Intent is first checked to make sure it is safe.</p>
+        <sample src="AndroidIntentRedirectionSample.java" />
+    </example>
+    <references>
+        <li>
+            Google:
+            <a href="https://support.google.com/faqs/answer/9267555?hl=en">Remediation for Intent Redirection Vulnerability</a>.
+        </li>
+        <li>
+            OWASP Mobile Security Testing Guide:
+            <a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents">Intents</a>.
+        </li>
+        <li>
+            Android Developers:
+            <a href="https://developer.android.com/guide/topics/manifest/activity-element#exported">The `android:exported` attribute</a>.
+        </li>
+    </references>
+</qhelp>

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql

@@ -1,11 +1,13 @@
 /**
- * @name Android Intent redirect
- * @description xxx
+ * @name Android Intent redirection
+ * @description Starting Android components with user-provided Intents
+ *              can provide access to internal components of the application,
+ *              increasing the attack surface and potentially causing unintended effects.
  * @kind path-problem
  * @problem.severity error
- * @security-severity xx
+ * @security-severity 7.5
  * @precision high
- * @id java/android/unsafe-android-webview-fetch
+ * @id java/android/intent-redirection
  * @tags security
  *       external/cwe/cwe-926
  *       external/cwe/cwe-940
@@ -13,10 +15,10 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.security.AndroidIntentRedirectQuery
+import semmle.code.java.security.AndroidIntentRedirectionQuery
 import DataFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, IntentRedirectConfiguration conf
+from DataFlow::PathNode source, DataFlow::PathNode sink, IntentRedirectionConfiguration conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "Arbitrary Android activities or services can be started from $@.", source.getNode(),

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirectionSample.java

@@ -0,0 +1,18 @@
+// BAD: A user-provided Intent is used to launch an arbitrary component
+Intent forwardIntent = (Intent) getIntent().getParcelableExtra("forward_intent");
+startActivity(forwardIntent);
+
+// GOOD: The destination component is checked before launching it
+Intent forwardIntent = (Intent) getIntent().getParcelableExtra("forward_intent");
+ComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());
+if (destinationComponent.getPackageName().equals("safe.package") && 
+    destinationComponent.getClassName().equals("SafeClass")) {
+    startActivity(forwardIntent);
+}
+
+// GOOD: The component that sent the Intent is checked before launching the destination component
+Intent forwardIntent = (Intent) getIntent().getParcelableExtra("forward_intent");
+ComponentName originComponent = getCallingActivity();
+if (originComponent.getPackageName().equals("trusted.package") && originComponent.getClassName("TrustedClass")) {
+    startActivity(forwardIntent);
+}