Fix QLL and add change notes with tests

teuron · teuron · commit c9b75afc2a5f · 2025-03-05T10:23:35.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
@@ -51,7 +51,9 @@ private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;
 /** An `onReceive` method that doesn't verify the action of the intent it receives. */
 private class UnverifiedOnReceiveMethod extends OnReceiveMethod {
   UnverifiedOnReceiveMethod() {
-    not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _)
+    not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _) and
+    // Empty methods do not need to be verified since they do not perform any actions.
+    this.getBody().getNumStmt() > 0
   }
 }
 
diff --git a/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql b/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql
@@ -14,6 +14,6 @@ import java
 import semmle.code.java.security.ImproperIntentVerificationQuery
 
 from AndroidReceiverXmlElement reg, Method orm, SystemActionName sa
-where unverifiedSystemReceiver(reg, orm, sa) and orm.getBody().getBlock().getNumStmt() > 0
+where unverifiedSystemReceiver(reg, orm, sa)
 select orm, "This reciever doesn't verify intents it receives, and $@ to receive $@.", reg,
   "it is registered", sa, "the system action " + sa.getName()
diff --git a/java/ql/src/change-notes/2025-03-03-fix-improper-intent-verification-query.md b/java/ql/src/change-notes/2025-03-03-fix-improper-intent-verification-query.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed false positive in CWE-925 by requiring the `onReceive` method must be non-empty
diff --git a/java/ql/test/query-tests/security/CWE-925/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-925/AndroidManifest.xml
@@ -5,5 +5,10 @@
                 <action android:name="android.intent.action.BOOT_COMPLETED" />
             </intent-filter>
         </receiver>
+        <reveicer android:name=".EmptyReceiverXml">
+            <intent-filter>
+                <action android:name"android.intent.action.BOOT_COMPLETED" />
+	    </intent-filter>
+        </receiver>
     </application>
-</manifest>
+</manifest>
diff --git a/java/ql/test/query-tests/security/CWE-925/EmptyReceiverXml.java b/java/ql/test/query-tests/security/CWE-925/EmptyReceiverXml.java
@@ -0,0 +1,9 @@
+package test;
+import android.content.Intent;
+import android.content.Context;
+import android.content.BroadcastReceiver;
+
+class EmptyReceiverXml extends BroadcastReceiver {
+    @Override 
+    public void onReceive(Context ctx, Intent intent) { }
+}

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,9 @@ private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;`
`51`	`51`	/** An `onReceive` method that doesn't verify the action of the intent it receives. */
`52`	`52`	`private class UnverifiedOnReceiveMethod extends OnReceiveMethod {`
`53`	`53`	`UnverifiedOnReceiveMethod() {`
`54`		`- not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _)`
	`54`	`+ not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _) and`
	`55`	`+ // Empty methods do not need to be verified since they do not perform any actions.`
	`56`	`+ this.getBody().getNumStmt() > 0`
`55`	`57`	`}`
`56`	`58`	`}`
`57`	`59`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Fixed false positive in CWE-925 by requiring the `onReceive` method must be non-empty