Merge pull request #18907 from teuron/cwe-925

[CWE-925] Intent verification is only needed on non-empty onReceive methods.

Author: owen-mc

java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll

@@ -51,7 +51,9 @@ private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;
 /** An `onReceive` method that doesn't verify the action of the intent it receives. */
 private class UnverifiedOnReceiveMethod extends OnReceiveMethod {
   UnverifiedOnReceiveMethod() {
-    not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _)
+    not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _) and
+    // Empty methods do not need to be verified since they do not perform any actions.
+    this.getBody().getNumStmt() > 0
   }
 }
 

java/ql/src/change-notes/2025-03-03-fix-improper-intent-verification-query.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Overrides of `BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the `java/improper-intent-verification` query. This will reduce false positives from `onReceive` methods which do not perform any actions.

java/ql/test/query-tests/security/CWE-925/AndroidManifest.xml

@@ -5,5 +5,10 @@
                 <action android:name="android.intent.action.BOOT_COMPLETED" />
             </intent-filter>
         </receiver>
+        <receiver android:name=".EmptyReceiverXml">
+            <intent-filter>
+                <action android:name"android.intent.action.BOOT_COMPLETED" />
+            </intent-filter>
+        </receiver>
     </application>
-</manifest>
+</manifest>

java/ql/test/query-tests/security/CWE-925/EmptyReceiverXml.java

@@ -0,0 +1,9 @@
+package test;
+import android.content.Intent;
+import android.content.Context;
+import android.content.BroadcastReceiver;
+
+class EmptyReceiverXml extends BroadcastReceiver {
+    @Override 
+    public void onReceive(Context ctx, Intent intent) { }
+}