switched to checking for permission attr in application elem instead of in manifest elem

Jami Cogswell · Jami Cogswell · commit 60921a03559a · 2022-08-22T12:41:22.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql b/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
@@ -46,23 +46,23 @@ import semmle.code.xml.AndroidManifest
 //     "android.intent.category.LAUNCHER" // double-check this code (especially use of getAChild and pattern match with LAUNCHER (e.g. should I do .%LAUNCHER instead?--No, constant value per docs), etc.), and definitely need to add stuff to library for this; should use exists(...) here?
 // select compElem, "This component is implicitly exported."
 // THIRD DRAFT
-from AndroidComponentXmlElement compElem, AndroidManifestXmlElement manifestElem
+from AndroidComponentXmlElement compElem, AndroidApplicationXmlElement appElem
 where
   // Does NOT have `exported` attribute
   not compElem.hasAttribute("exported") and
-  // and DOES have an intent-filter (DOUBLE-CHECK THIS CODE AND CHECK AGAINST OTHER VERSIONS THAT SEEMED TO WORK THE SAME)
-  compElem.getAChild().hasName("intent-filter") and // compElem.getAChild("intent-filter"); need hasComponent with exists(...) here?
+  // and DOES have an intent-filter
+  compElem.getAChild().hasName("intent-filter") and // compElem.getAChild("intent-filter")
   // and does NOT have `permission` attribute
   not compElem.hasAttribute("permission") and
   // and is NOT in build directory (NOTE: switch to not isInBuildDirectory() once new predicate is merged into main)
   not compElem.getFile().getRelativePath().matches("%build%") and
   // and does NOT have a LAUNCHER category, see docs: https://developer.android.com/about/versions/12/behavior-changes-12#exported
   // Constant Value: "android.intent.category.LAUNCHER" from https://developer.android.com/reference/android/content/Intent#CATEGORY_LAUNCHER
-  // I think beloew is actually filtering out too much because there can be multiple intent-filters in one component, so 2nd intent-filter without the launcher
+  // I think below is actually filtering out too much because there can be multiple intent-filters in one component, so 2nd intent-filter without the launcher
   // could maybe be an issue, e.g. https://github.com/microsoft/DynamicsWOM/blob/62c2dad4cbbd4496a55aa3f644336044105bb1c1/app/src/main/AndroidManifest.xml#L56-L66
   not compElem.getAnIntentFilterElement().getAChild("category").getAttributeValue("name") =
-    "android.intent.category.LAUNCHER" and // double-check this code (especially use of getAChild and pattern match with LAUNCHER (e.g. should I do .%LAUNCHER instead?--No, constant value per docs), etc.), and definitely need to add stuff to library for this; should use exists(...) here?
-  // and NO <permission> element in manifest file since that will be applied to the component even if no `permission` attribute directly
-  // set on component per the docs:
-  not manifestElem.getAChild().hasName("permission")
+    "android.intent.category.LAUNCHER" and
+  // and NO android:permission attribute in <application> element since that will be applied to the component even
+  // if no `permission` attribute directly set on component per the docs:
+  not appElem.hasAttribute("permission")
 select compElem, "This component is implicitly exported."
diff --git a/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml
@@ -12,6 +12,7 @@
         android:roundIcon="@mipmap/ic_launcher_round"
         android:supportsRtl="true"
         android:theme="@style/Theme.HappyBirthday"
+        android:permission="android.permission.SEND_SMS"
         tools:targetApi="31">  <!-- test -->
         <!-- Safe: category LAUNCHER --> <activity
             android:name=".MainActivity">
