Port MASTG-TEST-0025: Testing for Injection Flaws (android) (by @appknox)

[ScreaMy7]

closes #2999

[Copilot]

Pull Request Overview

This PR ports MASTG-TEST-0025 to the new V2 format as MASTG-TEST-0288, focusing on SQL injection vulnerabilities in Android ContentProviders. The change deprecates the old test and introduces a new version with updated testing methodology.

• Deprecates MASTG-TEST-0025 and creates MASTG-TEST-0288 as its replacement
• Introduces a Semgrep rule to detect SQL injection patterns in ContentProvider implementations
• Adds comprehensive demo code showing vulnerable ContentProvider with SQL injection via URI path segments

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

File	Description
tests/android/MASVS-CODE/MASTG-TEST-0025.md	Marks the original test as deprecated with reference to new version
tests-beta/android/MASVS-CODE/MASTG-TEST-0288.md	New test specification for SQL injection in ContentProvider
rules/mastg-android-sql-injection-contentprovider.yml	Semgrep rule to detect unsafe URI path usage in SQL queries
demos/android/MASVS-CODE/MASTG-DEMO-0061/	Complete demo implementation with vulnerable code and test execution

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[serek8]

I left a couple comments in the files. Please have a look.

[serek8]

Should we also add functions such as rawQuery and execSQL? Are there more similar functions?

[ScreaMy7]

This generates a lot of false positives, the vulnerability comes from how that text is constructed as its concatenation based unlike the path based used here.

[serek8]

The test should cover all API that can lead to SQL injection. The title points at an overall issue too. Android doc mentions it here. Can you also add Best practices about using PreparedStatement

[ScreaMy7]

@serek8 ,
I made the changes as requested, please review.

[serek8]

We still need to add best practices about Prepared Statements because they were present in MASTG-TEST-0025.md that we want to deprecate. We don't want to loose this information. Apart from that, let's fix the linter errors, everything else looks good.

[serek8]

@ScreaMy7 did you have some time to have a look at it?

[ScreaMy7]

@serek8 I have added the changes.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 11 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[serek8]

The content looks good. Please fix the building/linter issues.

[ScreaMy7]

The error is related dead links in other test files, not related with this PR.

[serek8]

@ScreaMy7 can you please add AndroidManifest.xml to the Demo? Without that the Provider won't work.

[cpholguera]

Suggested change

	title: Prevent SQL Injection in ContentProviders
	title: Prevent SQL Injection in Content Providers

[cpholguera]

Suggested change

	title: Injection flaws in Android Content providers
	title: Injection Flaws in Android Content Providers

[cpholguera]

Suggested change

	title: Testing Content URI Injection and Path-Segment Abuse
	title: Content Providers URI Injection and Path-Segment Abuse

[cpholguera]

This needs a better title and potentially must be split in 2 techniques

[cpholguera]

Link MASTG-KNOW

[ScreaMy7]

@cpholguera There is no MASTG-KNOW related to this, should I create a new MASTG-KNOW.md file?

[cpholguera]

Map to knowledge