Merge pull request github#3812 from luchua-bc/java-android-remote-source

Java: Add remote source of Android intent extra

Author: aschackmull

java/ql/src/experimental/Security/CWE/CWE-749/UnsafeAndroidAccess.ql

@@ -58,27 +58,6 @@ class FetchResourceMethodAccess extends MethodAccess {
   }
 }
 
-/**
- * Method access to external inputs of `android.content.Intent` object
- */
-class IntentGetExtraMethodAccess extends MethodAccess {
-  IntentGetExtraMethodAccess() {
-    this.getMethod().getName().regexpMatch("get\\w+Extra") and
-    this.getMethod().getDeclaringType() instanceof TypeIntent
-    or
-    this.getMethod().getName().regexpMatch("get\\w+") and
-    this.getQualifier().(MethodAccess).getMethod().hasName("getExtras") and
-    this.getQualifier().(MethodAccess).getMethod().getDeclaringType() instanceof TypeIntent
-  }
-}
-
-/**
- * Source of fetching URLs from intent extras
- */
-class UntrustedResourceSource extends DataFlow::ExprNode {
-  UntrustedResourceSource() { this.asExpr() instanceof IntentGetExtraMethodAccess }
-}
-
 /**
  * Holds if `ma` loads URL `sink`
  */
@@ -127,7 +106,7 @@ class UrlResourceSink extends DataFlow::ExprNode {
 class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
   FetchUntrustedResourceConfiguration() { this = "FetchUntrustedResourceConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedResourceSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
     sink instanceof UrlResourceSink and

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -16,6 +16,7 @@ import semmle.code.java.frameworks.android.XmlParsing
 import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.WebSocket
+import semmle.code.java.frameworks.android.Android
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.spring.SpringWeb
 import semmle.code.java.frameworks.spring.SpringController
@@ -323,15 +324,26 @@ class ReverseDNSMethod extends Method {
 
 /** Android `Intent` that may have come from a hostile application. */
 class AndroidIntentInput extends DataFlow::Node {
+  Type receiverType;
+
   AndroidIntentInput() {
     exists(MethodAccess ma, AndroidGetIntentMethod m |
       ma.getMethod().overrides*(m) and
-      this.asExpr() = ma
+      this.asExpr() = ma and
+      receiverType = ma.getReceiverType()
     )
     or
     exists(Method m, AndroidReceiveIntentMethod rI |
       m.overrides*(rI) and
-      this.asParameter() = m.getParameter(1)
+      this.asParameter() = m.getParameter(1) and
+      receiverType = m.getDeclaringType()
     )
   }
 }
+
+/** Exported Android `Intent` that may have come from a hostile application. */
+class ExportedAndroidIntentInput extends RemoteFlowSource, AndroidIntentInput {
+  ExportedAndroidIntentInput() { receiverType.(ExportableAndroidComponent).isExported() }
+
+  override string getSourceType() { result = "Exported Android intent source" }
+}

java/ql/src/semmle/code/java/frameworks/android/Android.qll

@@ -30,25 +30,42 @@ class AndroidComponent extends Class {
   predicate hasIntentFilter() { exists(getAndroidComponentXmlElement().getAnIntentFilterElement()) }
 }
 
+/**
+ * An Android component that can be explicitly or implicitly exported.
+ */
+class ExportableAndroidComponent extends AndroidComponent {
+  /**
+   * Holds if this Android component is configured as `exported` or has intent
+   * filters configured without `exported` explicitly disabled in an
+   * `AndroidManifest.xml` file.
+   */
+  override predicate isExported() {
+    getAndroidComponentXmlElement().isExported()
+    or
+    hasIntentFilter() and
+    not getAndroidComponentXmlElement().isNotExported()
+  }
+}
+
 /** An Android activity. */
-class AndroidActivity extends AndroidComponent {
+class AndroidActivity extends ExportableAndroidComponent {
   AndroidActivity() { this.getASupertype*().hasQualifiedName("android.app", "Activity") }
 }
 
 /** An Android service. */
-class AndroidService extends AndroidComponent {
+class AndroidService extends ExportableAndroidComponent {
   AndroidService() { this.getASupertype*().hasQualifiedName("android.app", "Service") }
 }
 
 /** An Android broadcast receiver. */
-class AndroidBroadcastReceiver extends AndroidComponent {
+class AndroidBroadcastReceiver extends ExportableAndroidComponent {
   AndroidBroadcastReceiver() {
     this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver")
   }
 }
 
 /** An Android content provider. */
-class AndroidContentProvider extends AndroidComponent {
+class AndroidContentProvider extends ExportableAndroidComponent {
   AndroidContentProvider() {
     this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
   }

java/ql/src/semmle/code/java/frameworks/android/Intent.qll

@@ -42,3 +42,13 @@ class IntentGetExtraMethod extends Method, TaintPreservingCallable {
 
   override predicate returnsTaintFrom(int arg) { arg = -1 }
 }
+
+/** A getter on `android.os.BaseBundle` or `android.os.Bundle`. */
+class BundleGetterMethod extends Method, TaintPreservingCallable {
+  BundleGetterMethod() {
+    getDeclaringType().hasQualifiedName("android.os", ["BaseBundle", "Bundle"]) and
+    getName().matches("get%")
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = -1 }
+}

java/ql/src/semmle/code/xml/AndroidManifest.qll

@@ -137,6 +137,11 @@ class AndroidComponentXmlElement extends XMLElement {
    * Holds if the `android:exported` attribute of this component element is `true`.
    */
   predicate isExported() { getExportedAttributeValue() = "true" }
+
+  /**
+   * Holds if the `android:exported` attribute of this component element is explicitly set to `false`.
+   */
+  predicate isNotExported() { getExportedAttributeValue() = "false" }
 }
 
 /**

java/ql/test/experimental/query-tests/security/CWE-749/AndroidManifest.xml

@@ -0,0 +1,51 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <uses-permission android:name="android.permission.INTERNET" />
+
+    <application
+        android:icon="@drawable/ic_launcher"
+        android:label="@string/app_name"
+        android:theme="@style/AppTheme" >
+        <activity
+            android:name=".UnsafeAndroidAccess"
+            android:icon="@drawable/ic_launcher"
+			android:label="@string/app_name">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <activity android:name=".UnsafeActivity1" android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW"/>
+            </intent-filter>
+        </activity>
+        
+        <activity android:name=".UnsafeActivity2">
+            <intent-filter>
+            <action android:name="android.intent.action.VIEW"/>
+            </intent-filter>
+        </activity>
+        
+        <activity android:name=".SafeActivity1" android:exported="false">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW"/>
+            </intent-filter>
+        </activity>
+
+        <activity android:name=".SafeActivity2" android:exported="false" />
+
+        <activity android:name=".SafeActivity3" />
+
+        <activity android:name=".UnsafeActivity3" android:exported="true" />
+        <activity android:name=".UnsafeActivity4" android:exported="true" />
+
+        <receiver android:name=".UnsafeAndroidBroadcastReceiver" android:exported="true" />        
+    </application>
+
+</manifest>

java/ql/test/experimental/query-tests/security/CWE-749/IntentUtils.java

@@ -0,0 +1,24 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+/** A utility program for getting intent extra information from Android activity */
+public class IntentUtils {
+	/** Get intent extra */
+	public static String getIntentUrl(Activity a) {
+		String thisUrl = a.getIntent().getStringExtra("url");
+		return thisUrl;
+	}
+
+	/** Get bundle extra */
+	public static String getBundleUrl(Activity a) {
+		String thisUrl = a.getIntent().getExtras().getString("url");
+		return thisUrl;
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity1.java

@@ -0,0 +1,34 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class SafeActivity1 extends Activity {
+	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity2.java

@@ -0,0 +1,34 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class SafeActivity2 extends Activity {
+	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-749/SafeActivity3.java

@@ -0,0 +1,34 @@
+package com.example.app;
+
+import android.app.Activity;
+
+import android.os.Bundle;
+
+import android.webkit.WebSettings;
+import android.webkit.WebView;
+import android.webkit.WebViewClient;
+
+public class SafeActivity3 extends Activity {
+	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	public void onCreate(Bundle savedInstanceState) {
+		super.onCreate(savedInstanceState);
+		setContentView(-1);
+
+		WebView wv = (WebView) findViewById(-1);
+		WebSettings webSettings = wv.getSettings();
+
+		webSettings.setJavaScriptEnabled(true);
+		webSettings.setAllowFileAccessFromFileURLs(true);
+
+		wv.setWebViewClient(new WebViewClient() {
+			@Override
+			public boolean shouldOverrideUrlLoading(WebView view, String url) {
+				view.loadUrl(url);
+				return true;
+			}
+		});
+
+		String thisUrl = getIntent().getExtras().getString("url");
+		wv.loadUrl(thisUrl);
+	}
+}