Merge pull request github#10223 from atorralba/atorralba/unsafe-content-resolver

Java: New Android query to detect unsafe content URI resolution

Author: atorralba

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolution.qll

@@ -0,0 +1,87 @@
+/** Provides classes to reason about vulnerabilites related to content URIs. */
+
+import java
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.frameworks.android.Android
+private import semmle.code.java.security.PathSanitizer
+
+/** A URI that gets resolved by a `ContentResolver`. */
+abstract class ContentUriResolutionSink extends DataFlow::Node { }
+
+/** A sanitizer for content URIs. */
+abstract class ContentUriResolutionSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps to configurations related to
+ * content URI resolution vulnerabilities.
+ */
+class ContentUriResolutionAdditionalTaintStep extends Unit {
+  /** Holds if the step from `node1` to `node2` should be considered an additional taint step. */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
+/** The URI argument of a call to a `ContentResolver` URI-opening method. */
+private class DefaultContentUriResolutionSink extends ContentUriResolutionSink {
+  DefaultContentUriResolutionSink() {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof UriOpeningContentResolverMethod and
+      this.asExpr() = ma.getAnArgument() and
+      this.getType().(RefType).hasQualifiedName("android.net", "Uri")
+    )
+  }
+}
+
+/** A `ContentResolver` method that resolves a URI. */
+private class UriOpeningContentResolverMethod extends Method {
+  UriOpeningContentResolverMethod() {
+    this.hasName([
+        "openInputStream", "openOutputStream", "openAssetFile", "openAssetFileDescriptor",
+        "openFile", "openFileDescriptor", "openTypedAssetFile", "openTypedAssetFileDescriptor",
+      ]) and
+    this.getDeclaringType() instanceof AndroidContentResolver
+  }
+}
+
+private class UninterestingTypeSanitizer extends ContentUriResolutionSanitizer {
+  UninterestingTypeSanitizer() {
+    this.getType() instanceof BoxedType or
+    this.getType() instanceof PrimitiveType or
+    this.getType() instanceof NumberType
+  }
+}
+
+private class PathSanitizer extends ContentUriResolutionSanitizer instanceof PathInjectionSanitizer {
+}
+
+private class FilenameOnlySanitizer extends ContentUriResolutionSanitizer {
+  FilenameOnlySanitizer() {
+    exists(Method m | this.asExpr().(MethodAccess).getMethod() = m |
+      m.hasQualifiedName("java.io", "File", "getName") or
+      m.hasQualifiedName("kotlin.io", "FilesKt", ["getNameWithoutExtension", "getExtension"]) or
+      m.hasQualifiedName("org.apache.commons.io", "FilenameUtils", "getName")
+    )
+  }
+}
+
+/**
+ * A `ContentUriResolutionSink` that flows to an image-decoding function.
+ * Such functions raise exceptions when the input is not a valid image,
+ * which prevents accessing arbitrary non-image files.
+ */
+private class DecodedAsAnImageSanitizer extends ContentUriResolutionSanitizer {
+  DecodedAsAnImageSanitizer() {
+    exists(Argument decodeArg, MethodAccess decode |
+      decode.getArgument(0) = decodeArg and
+      decode
+          .getMethod()
+          .hasQualifiedName("android.graphics", "BitmapFactory",
+            [
+              "decodeByteArray", "decodeFile", "decodeFileDescriptor", "decodeResource",
+              "decodeStream"
+            ])
+    |
+      TaintTracking::localExprTaint(this.(ContentUriResolutionSink).asExpr().(Argument).getCall(),
+        decodeArg)
+    )
+  }
+}

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll

@@ -0,0 +1,24 @@
+/** Provides taint tracking configurations to be used in unsafe content URI resolution queries. */
+
+import java
+import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.UnsafeContentUriResolution
+
+/** A taint-tracking configuration to find paths from remote sources to content URI resolutions. */
+class UnsafeContentResolutionConf extends TaintTracking::Configuration {
+  UnsafeContentResolutionConf() { this = "UnsafeContentResolutionConf" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof ContentUriResolutionSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
+  }
+}

java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.java

@@ -0,0 +1,41 @@
+import android.content.ContentResolver;
+import android.net.Uri;
+
+public class Example extends Activity {
+    public void onCreate() {
+        // BAD: Externally-provided URI directly used in content resolution
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            InputStream is = contentResolver.openInputStream(uri);
+            copyToExternalCache(is);
+        }
+        // BAD: input URI is not normalized, and check can be bypassed with ".." characters
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            String path = uri.getPath();
+            if (path.startsWith("/data"))
+                throw new SecurityException();
+            InputStream is = contentResolver.openInputStream(uri);
+            copyToExternalCache(is);
+        }
+        // GOOD: URI is properly validated to block access to internal files
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            String path = uri.getPath();
+            java.nio.file.Path normalized =
+                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();
+            if (normalized.startsWith("/data"))
+                throw new SecurityException();
+            InputStream is = contentResolver.openInputStream(uri);
+            copyToExternalCache(is);
+        }
+    }
+
+    private void copyToExternalCache(InputStream is) {
+        // Reads the contents of is and writes a file in the app's external
+        // cache directory, which can be read publicly by applications in the same device.
+    }
+}

java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.qhelp

@@ -0,0 +1,49 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+  When an Android application wants to access data in a content provider, it uses the <code>ContentResolver</code>
+  object. <code>ContentResolver</code>s communicate with an instance of a class that implements the 
+  <code>ContentProvider</code> interface via URIs with the <code>content://</code> scheme.
+
+  The authority part (the first path segment) of the URI, passed as parameter to the <code>ContentResolver</code>, 
+  determines which content provider is contacted for the operation. Specific operations that act on files also
+  support the <code>file://</code> scheme, in which case the local filesystem is queried instead.
+
+  If an external component, like a malicious or compromised application, controls the URI for a
+  <code>ContentResolver</code> operation, it can trick the vulnerable application into accessing its own private
+  files or non-exported content providers. The attacking application might be able to get access to the file by forcing it to be copied to a public directory, like
+  external storage, or tamper with the contents by making the application overwrite the file with unexpected data.
+</p>
+</overview>
+<recommendation>
+<p>
+  If possible, avoid using externally-provided data to determine the URI for a <code>ContentResolver</code> to use.
+  If that is not an option, validate that the incoming URI can only reference trusted components, like an allow list
+  of content providers and/or applications, or alternatively make sure that the URI does not reference private
+  directories like <code>/data/</code>.
+</p>
+</recommendation>
+<example>
+<p>
+  This example shows three ways of opening a file using a <code>ContentResolver</code>. In the first case, externally-provided
+  data from an intent is used directly in the file-reading operation. This allows an attacker to provide a URI
+  of the form <code>/data/data/(vulnerable app package)/(private file)</code> to trick the application into reading it and
+  copying it to the external storage. In the second case, an insufficient check is performed on the externally-provided URI, still
+  leaving room for exploitation. In the third case, the URI is correctly validated before being used, making sure it does not reference
+  any internal application files.
+</p>
+<sample src="UnsafeContentUriResolution.java" />
+</example>
+<references>
+  <li>
+  Android developers:
+    <a href="https://developer.android.com/guide/topics/providers/content-provider-basics">Content provider basics</a>
+  </li>
+  <li>
+    <a href="https://developer.android.com/reference/android/content/ContentResolver">The ContentResolver class</a>
+  </li>
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Uncontrolled data used in content resolution
+ * @description Resolving externally-provided content URIs without validation can allow an attacker
+ *              to access unexpected resources.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id java/android/unsafe-content-uri-resolution
+ * @tags security
+ *     external/cwe/cwe-441
+ *     external/cwe/cwe-610
+ */
+
+import java
+import semmle.code.java.security.UnsafeContentUriResolutionQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode src, DataFlow::PathNode sink
+where any(UnsafeContentResolutionConf c).hasFlowPath(src, sink)
+select sink.getNode(), src, sink,
+  "This ContentResolver method that resolves a URI depends on a $@.", src.getNode(),
+  "user-provided value"

java/ql/src/change-notes/2022-08-26-unsafe-content-uri-resolution.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* A new query "Uncontrolled data used in content resolution" (`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's `ContentResolver` without previous validation or sanitization.

java/ql/test/query-tests/security/CWE-441/AndroidManifest.xml

@@ -0,0 +1,6 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="test">
+    <application>
+        <activity android:exported="true" android:name=".Test">
+        </activity>
+    </application>
+</manifest>

java/ql/test/query-tests/security/CWE-441/Test.java

@@ -0,0 +1,115 @@
+package test;
+
+import android.content.ContentResolver;
+import android.net.Uri;
+import android.app.Activity;
+
+public class Test extends Activity {
+    private void validateWithEquals(Uri uri) {
+        if (!uri.equals(Uri.parse("content://safe/uri")))
+            throw new SecurityException();
+    }
+
+    private void validateWithAllowList(Uri uri) throws SecurityException {
+        String path = uri.getPath();
+        java.nio.file.Path normalized =
+                java.nio.file.FileSystems.getDefault().getPath(path).normalize();
+        if (!normalized.startsWith("/safe/path"))
+            throw new SecurityException();
+    }
+
+    private void validateWithBlockList(Uri uri) throws SecurityException {
+        String path = uri.getPath();
+        java.nio.file.Path normalized =
+                java.nio.file.FileSystems.getDefault().getPath(path).normalize();
+        if (normalized.startsWith("/data"))
+            throw new SecurityException();
+    }
+
+    public void onCreate() {
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            contentResolver.openInputStream(uri); // $ hasTaintFlow
+            contentResolver.openOutputStream(uri); // $ hasTaintFlow
+            contentResolver.openAssetFile(uri, null, null); // $ hasTaintFlow
+            contentResolver.openAssetFileDescriptor(uri, null); // $ hasTaintFlow
+            contentResolver.openFile(uri, null, null); // $ hasTaintFlow
+            contentResolver.openFileDescriptor(uri, null); // $ hasTaintFlow
+            contentResolver.openTypedAssetFile(uri, null, null, null); // $ hasTaintFlow
+            contentResolver.openTypedAssetFileDescriptor(uri, null, null); // $ hasTaintFlow
+        }
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            String path = uri.getPath();
+            if (path.startsWith("/data"))
+                throw new SecurityException();
+            contentResolver.openInputStream(uri); // $ hasTaintFlow
+        }
+        // Equals checks
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            if (!uri.equals(Uri.parse("content://safe/uri")))
+                throw new SecurityException();
+            contentResolver.openInputStream(uri); // Safe
+        }
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            validateWithEquals(uri);
+            contentResolver.openInputStream(uri); // Safe
+        }
+        // Allow list checks
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            String path = uri.getPath();
+            if (!path.startsWith("/safe/path"))
+                throw new SecurityException();
+            contentResolver.openInputStream(uri); // $ hasTaintFlow
+        }
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            String path = uri.getPath();
+            java.nio.file.Path normalized =
+                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();
+            if (!normalized.startsWith("/safe/path"))
+                throw new SecurityException();
+            contentResolver.openInputStream(uri); // Safe
+        }
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            validateWithAllowList(uri);
+            contentResolver.openInputStream(uri); // Safe
+        }
+        // Block list checks
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            String path = uri.getPath();
+            if (path.startsWith("/data"))
+                throw new SecurityException();
+            contentResolver.openInputStream(uri); // $ hasTaintFlow
+        }
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            String path = uri.getPath();
+            java.nio.file.Path normalized =
+                    java.nio.file.FileSystems.getDefault().getPath(path).normalize();
+            if (normalized.startsWith("/data"))
+                throw new SecurityException();
+            contentResolver.openInputStream(uri); // Safe
+        }
+        {
+            ContentResolver contentResolver = getContentResolver();
+            Uri uri = (Uri) getIntent().getParcelableExtra("URI_EXTRA");
+            validateWithBlockList(uri);
+            contentResolver.openInputStream(uri); // Safe
+        }
+    }
+}

java/ql/test/query-tests/security/CWE-441/UnsafeContentUriResolutionTest.expected

@@ -0,0 +1,11 @@
+import java
+import TestUtilities.InlineFlowTest
+import semmle.code.java.security.UnsafeContentUriResolutionQuery
+
+class Test extends InlineFlowTest {
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+
+  override TaintTracking::Configuration getTaintFlowConfig() {
+    result instanceof UnsafeContentResolutionConf
+  }
+}