Remove checks for dynamically registered recievers

joefarebrother · joefarebrother · commit c71586e1f8ba · 2022-06-14T14:56:24.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
@@ -55,85 +55,20 @@ string getASystemActionName() {
 }
 
 /** An expression or XML attribute that contains the name of a system intent action. */
-class SystemActionName extends Top {
+class SystemActionName extends AndroidActionXmlElement {
   string name;
 
   SystemActionName() {
     name = getASystemActionName() and
-    (
-      this.(CompileTimeConstantExpr).getStringValue() = "android.intent.action." + name
-      or
-      this.(FieldRead).getField().hasQualifiedName("android.content", "Intent", "ACTION_" + name)
-      or
-      this.(AndroidActionXmlElement).getActionName() = "android.intent.action." + name
-    )
+    this.getActionName() = "android.intent.action." + name
   }
 
   /** Gets the name of the system intent that this expression or attribute represents. */
-  string getName() { result = name }
-
-  override string toString() { result = [this.(Expr).toString(), this.(XMLAttribute).toString()] }
-}
-
-/** A call to `Context.registerReceiver` */
-private class RegisterReceiverCall extends MethodAccess {
-  RegisterReceiverCall() {
-    this.getMethod()
-        .getASourceOverriddenMethod*()
-        .hasQualifiedName("android.content", "Context", "registerReceiver")
-  }
-
-  /** Gets the `BroadcastReceiver` argument to this call. */
-  Expr getReceiverArgument() { result = this.getArgument(0) }
-
-  /** Gets the `IntentFilter` argument to this call. */
-  Expr getFilterArgument() { result = this.getArgument(1) }
-}
-
-/** A configuration to detect uses of `registerReceiver` with system intent actions. */
-private class RegisterSystemActionConfig extends DataFlow::Configuration {
-  RegisterSystemActionConfig() { this = "RegisterSystemActionConfig" }
-
-  override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SystemActionName }
-
-  override predicate isSink(DataFlow::Node node) {
-    exists(RegisterReceiverCall ma | node.asExpr() = ma.getFilterArgument())
-  }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(ConstructorCall cc |
-      cc.getConstructedType().hasQualifiedName("android.content", "IntentFilter") and
-      node1.asExpr() = cc.getArgument(0) and
-      node2.asExpr() = cc
-    )
-    or
-    exists(MethodAccess ma |
-      ma.getMethod().hasQualifiedName("android.content", "IntentFilter", "create") and
-      node1.asExpr() = ma.getArgument(0) and
-      node2.asExpr() = ma
-    )
-    or
-    exists(MethodAccess ma |
-      ma.getMethod().hasQualifiedName("android.content", "IntentFilter", "addAction") and
-      node1.asExpr() = ma.getArgument(0) and
-      node2.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = ma.getQualifier()
-    )
-  }
-}
-
-/** Holds if `rrc` registers a receiver `orm` to receive the system action `sa` that doesn't verify the intents it receives. */
-private predicate registeredUnverifiedSystemReceiver(
-  RegisterReceiverCall rrc, UnverifiedOnReceiveMethod orm, SystemActionName sa
-) {
-  exists(RegisterSystemActionConfig conf, ConstructorCall cc |
-    conf.hasFlow(DataFlow::exprNode(sa), DataFlow::exprNode(rrc.getFilterArgument())) and
-    cc.getConstructedType() = orm.getDeclaringType() and
-    DataFlow::localExprFlow(cc, rrc.getReceiverArgument())
-  )
+  string getSystemActionName() { result = name }
 }
 
 /** Holds if the XML element `rec` declares a receiver `orm` to receive the system action named `sa` that doesn't verify intents it receives. */
-private predicate xmlUnverifiedSystemReceiver(
+predicate unverifiedSystemReceiver(
   AndroidReceiverXmlElement rec, UnverifiedOnReceiveMethod orm, SystemActionName sa
 ) {
   exists(Class ormty |
@@ -142,9 +77,3 @@ private predicate xmlUnverifiedSystemReceiver(
     rec.getAnIntentFilterElement().getAnActionElement() = sa
   )
 }
-
-/** Holds if `reg` registers (either explicitly or through XML) a receiver `orm` to receive the system action named `sa` that doesn't verify the intents it receives. */
-predicate unverifiedSystemReceiver(Top reg, Method orm, SystemActionName sa) {
-  registeredUnverifiedSystemReceiver(reg, orm, sa) or
-  xmlUnverifiedSystemReceiver(reg, orm, sa)
-}
diff --git a/java/ql/src/Security/CWE/CWE-925/AndroidManifest.xml b/java/ql/src/Security/CWE/CWE-925/AndroidManifest.xml
@@ -0,0 +1,9 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="test">
+    <application>
+        <receiver android:name=".BootReceiverXml">
+            <intent-filter>
+                <action android:name="android.intent.action.BOOT_COMPLETED" />
+            </intent-filter>
+        </receiver>
+    </application>
+</manifest>
diff --git a/java/ql/src/Security/CWE/CWE-925/Bad.java b/java/ql/src/Security/CWE/CWE-925/Bad.java
@@ -1,9 +1,3 @@
-// ...
-IntentFilter filter = new IntentFilter(Intent.ACTION_SHUTDOWN);
-BroadcastReceiver sReceiver = new ShutDownReceiver();
-context.registerReceiver(sReceiver, filter);
-// ...
-
 public class ShutdownReceiver extends BroadcastReceiver {
     @Override
     public void onReceive(final Context context, final Intent intent) {
diff --git a/java/ql/src/Security/CWE/CWE-925/Good.java b/java/ql/src/Security/CWE/CWE-925/Good.java
@@ -1,9 +1,3 @@
-// ...
-IntentFilter filter = new IntentFilter(Intent.ACTION_SHUTDOWN);
-BroadcastReceiver sReceiver = new ShutDownReceiver();
-context.registerReceiver(sReceiver, filter);
-// ...
-
 public class ShutdownReceiver extends BroadcastReceiver {
     @Override
     public void onReceive(final Context context, final Intent intent) {
diff --git a/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.qhelp b/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.qhelp
@@ -21,6 +21,7 @@ Otherwise, a third-party application could impersonate the system this way and c
   without checking that the received action is indeed <code>ACTION_SHUTDOWN</code>. This allows third-party applications to 
   send explicit intents to this receiver to cause a denial of service.</p>
 <sample src="Bad.java" />
+<sample src="AndroidManifest.xml" />
 </example>
 
 <recommendation>
diff --git a/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql b/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql
@@ -13,7 +13,7 @@
 import java
 import semmle.code.java.security.ImproperIntentVerificationQuery
 
-from Top reg, Method orm, SystemActionName sa
+from AndroidReceiverXmlElement reg, Method orm, SystemActionName sa
 where unverifiedSystemReceiver(reg, orm, sa)
 select orm, "This reciever doesn't verify intents it receives, and is registered $@ to receive $@.",
   reg, "here", sa, "the system action " + sa.getName()
diff --git a/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerificationTest.java b/java/ql/test/query-tests/security/CWE-925/ImproperIntentVerificationTest.java
