updated help file and unit tests

Author: Jami Cogswell

java/ql/src/Security/CWE/CWE-926/ExampleBad.xml

@@ -0,0 +1,11 @@
+<manifest ... >
+    <application ...
+        <!-- BAD: this component is implicitly exported -->
+        <activity>
+            android:name=".Activity">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+            </intent-filter>
+        </activity>
+    </application>
+</manifest>

java/ql/src/Security/CWE/CWE-926/ExampleGood.xml

@@ -0,0 +1,12 @@
+<manifest ... >
+    <application ...
+        <!-- GOOD: this component is not exported due to 'android:exported' explicitly set to 'false'-->
+        <activity>
+            android:name=".Activity">
+            android:exported="false"
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+            </intent-filter>
+        </activity>
+    </application>
+</manifest>

java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.qhelp

@@ -5,30 +5,27 @@
 
 <overview>
 <p>The Android manifest file defines configuration settings for Android applications.
-In this file, the <code>android:debuggable</code> attribute of the <code>application</code> element can be used to
-define whether or not the application can be debugged. When set to <code>true</code>, this attribute will allow the
-application to be debugged even when running on a device in user mode.</p>
+In this file, components can be declared with intent filters which specify the types of intents the component can respond to.
+If the <code>android:exported</code> attribute is omitted from the component when an intent filter is included,
+then the component will be implicitly exported.</p>
 
-<p>When a debugger is enabled it could allow for entry points in the application or reveal sensitive information.
-As a result, <code>android:debuggable</code> should only be enabled during development and should be disabled in
-production builds.</p>
+<p>An implicitly exported component could allow for improper access to the component and its data.</p>
 
 </overview>
 <recommendation>
 
-<p>In Android applications either set the <code>android:debuggable</code> attribute to <code>false</code>
-or do not include it in the manifest. The default value when not included is <code>false</code>.</p>
+<p>Explicitly set the <code>android:exported</code> attribute for every component or use permissions to limit access to the component.</p>
 
 </recommendation>
 <example>
 
-<p>In the example below, the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>
+<p>In the example below, the component <code>android:exported</code> attribute is omitted when an intent filter is used.</p>
 
-<!--<sample src="DebuggableTrue.xml" />-->
+<sample src="ExampleBad.xml" />
 
-<p>The corrected version sets the <code>android:debuggable</code> attribute to <code>false</code>.</p>
+<p>A corrected version sets the <code>android:exported</code> attribute to <code>false</code>.</p>
 
-<!--<sample src="DebuggableFalse.xml" />-->
+<sample src="ExampleGood.xml" />
 
 </example>
 <references>
@@ -39,11 +36,19 @@ or do not include it in the manifest. The default value when not included is <co
 </li>
 <li>
   Android Developers:
-  <a href="https://developer.android.com/guide/topics/manifest/application-element#debug">The android:debuggable attribute</a>.
+  <a href="https://developer.android.com/guide/topics/manifest/intent-filter-element">intent-filter-element</a>.
 </li>
 <li>
   Android Developers:
-  <a href="https://developer.android.com/studio/debug#enable-debug">Enable debugging</a>.
+  <a href="https://developer.android.com/guide/topics/manifest/activity-element#exported">The android:exported attribute</a>.
+</li>
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/activity-element#prmsn">The android:permission attribute</a>.
+</li>
+<li>
+  Android Developers:
+  <a href="https://developer.android.com/about/versions/12/behavior-changes-12#exported">Safer component exporting</a>.
 </li>
 
 </references>

java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml

@@ -12,7 +12,6 @@
         android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
         android:theme="@style/Theme.HappyBirthday"
-        android:permission="android.permission.SEND_SMS"
         tools:targetApi="31">  <!-- test -->
         <!-- Safe: category LAUNCHER --> <activity
             android:name=".MainActivity">
@@ -29,6 +28,26 @@
                 <action android:name="android.intent.action.MAIN" />
             </intent-filter>
         </activity>
+
+        <!-- Safe: 'android:exported' explicitly set --> <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+            </intent-filter>
+        </activity>
+
+        <!-- Safe: no intent filter --> <activity
+            android:name=".MainActivity">
+        </activity>
+
+        <!-- Safe: has 'permission' attribute --> <activity
+            android:name=".MainActivity"
+            android:permission=".Test">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+            </intent-filter>
+        </activity>
     </application>
 
 </manifest>

java/ql/test/query-tests/security/CWE-926/ImplicitlyExportedAndroidComponentTest.ql

@@ -9,13 +9,9 @@ class ImplicitlyExportedAndroidComponentTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasImplicitExport" and
-    exists(AndroidComponentXmlElement compElem, AndroidIntentFilterXmlElement intFiltElem |
-      not compElem.hasAttribute("exported") and
-      //compElem.getAnIntentFilterElement() instanceof AndroidIntentFilterXmlElement
-      not intFiltElem.getParent() = compElem
-    |
-      compElem.getLocation() = location and
-      element = compElem.toString() and
+    exists(AndroidComponentXmlElement compElement | compElement.isImplicitlyExported() |
+      compElement.getLocation() = location and
+      element = compElement.toString() and
       value = ""
     )
   }

java/ql/test/query-tests/security/CWE-926/Testbuild/AndroidManifest.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    package="com.example.happybirthday">
+
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.HappyBirthday"
+        tools:targetApi="31">  <!-- test -->
+        <!-- Safe: category LAUNCHER --> <activity
+            android:name=".MainActivity">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <!-- Safe: in build directory --> <activity
+            android:name=".MainActivity">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+            </intent-filter>
+        </activity>
+
+        <!-- Safe: 'android:exported' explicitly set --> <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+            </intent-filter>
+        </activity>
+
+        <!-- Safe: no intent filter --> <activity
+            android:name=".MainActivity">
+        </activity>
+
+        <!-- Safe: has 'permission' attribute --> <activity
+            android:name=".MainActivity"
+            android:permission=".Test">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>