Merge pull request #6397 from atorralba/atorralba/android-intent-redirect-query

Java: Create new Android Intent Redirection query

Author: atorralba

java/change-notes/2021-08-02-android-intent-redirect-query.md

@@ -0,0 +1,5 @@
+lgtm,codescanning
+* A new query "Android Intent redirection" (`java/android/intent-redirection`) has been added.
+This query finds exported Android components using received Intents to start other components,
+which can provide access to internal components of the application or cause other unintended
+effects.

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -107,6 +107,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.spring.SpringBeans
   private import semmle.code.java.frameworks.spring.SpringWebMultipart
   private import semmle.code.java.frameworks.spring.SpringWebUtil
+  private import semmle.code.java.security.AndroidIntentRedirection
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.GroovyInjection

java/ql/lib/semmle/code/java/frameworks/android/Intent.qll

@@ -10,6 +10,11 @@ class TypeIntent extends Class {
   TypeIntent() { this.hasQualifiedName("android.content", "Intent") }
 }
 
+/** The class `android.content.ComponentName`. */
+class TypeComponentName extends Class {
+  TypeComponentName() { this.hasQualifiedName("android.content", "ComponentName") }
+}
+
 /**
  * The class `android.app.Activity`.
  */
@@ -293,3 +298,34 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
       ]
   }
 }
+
+private class IntentComponentTaintSteps extends SummaryModelCsv {
+  override predicate row(string s) {
+    s =
+      [
+        "android.content;Intent;true;Intent;(Intent);;Argument[0];Argument[-1];taint",
+        "android.content;Intent;true;Intent;(Context,Class);;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;Intent;(String,Uri,Context,Class);;Argument[3];Argument[-1];taint",
+        "android.content;Intent;true;getIntent;(String);;Argument[0];ReturnValue;taint",
+        "android.content;Intent;true;getIntentOld;(String);;Argument[0];ReturnValue;taint",
+        "android.content;Intent;true;parseUri;(String,int);;Argument[0];ReturnValue;taint",
+        "android.content;Intent;true;setPackage;;;Argument[0];Argument[-1];taint",
+        "android.content;Intent;true;setClass;;;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;setClassName;(Context,String);;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;setClassName;(String,String);;Argument[0..1];Argument[-1];taint",
+        "android.content;Intent;true;setComponent;;;Argument[0];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(String,String);;Argument[0..1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Context,String);;Argument[1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Context,Class);;Argument[1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Parcel);;Argument[0];Argument[-1];taint",
+        "android.content;ComponentName;false;createRelative;(String,String);;Argument[0..1];ReturnValue;taint",
+        "android.content;ComponentName;false;createRelative;(Context,String);;Argument[1];ReturnValue;taint",
+        "android.content;ComponentName;false;flattenToShortString;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;flattenToString;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getClassName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getPackageName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getShortClassName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;unflattenFromString;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll

@@ -0,0 +1,82 @@
+/** Provides classes to reason about Android Intent redirect vulnerabilities. */
+
+import java
+private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.frameworks.android.Intent
+
+/**
+ * A sink for Intent redirection vulnerabilities in Android,
+ * that is, method calls that start Android components (like activities or services).
+ */
+abstract class IntentRedirectionSink extends DataFlow::Node { }
+
+/** A sanitizer for data used to start an Android component. */
+abstract class IntentRedirectionSanitizer extends DataFlow::Node { }
+
+/**
+ * A unit class for adding additional taint steps.
+ *
+ * Extend this class to add additional taint steps that should apply to `IntentRedirectionConfiguration`.
+ */
+class IntentRedirectionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for the `IntentRedirectionConfiguration` configuration.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
+private class DefaultIntentRedirectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "android.app;Activity;true;bindService;;;Argument[0];intent-start",
+        "android.app;Activity;true;bindServiceAsUser;;;Argument[0];intent-start",
+        "android.app;Activity;true;startActivityAsCaller;;;Argument[0];intent-start",
+        "android.app;Activity;true;startActivityForResult;(Intent,int);;Argument[0];intent-start",
+        "android.app;Activity;true;startActivityForResult;(Intent,int,Bundle);;Argument[0];intent-start",
+        "android.app;Activity;true;startActivityForResult;(String,Intent,int,Bundle);;Argument[1];intent-start",
+        "android.app;Activity;true;startActivityForResultAsUser;;;Argument[0];intent-start",
+        "android.content;Context;true;startActivities;;;Argument[0];intent-start",
+        "android.content;Context;true;startActivity;;;Argument[0];intent-start",
+        "android.content;Context;true;startActivityAsUser;;;Argument[0];intent-start",
+        "android.content;Context;true;startActivityFromChild;;;Argument[1];intent-start",
+        "android.content;Context;true;startActivityFromFragment;;;Argument[1];intent-start",
+        "android.content;Context;true;startActivityIfNeeded;;;Argument[0];intent-start",
+        "android.content;Context;true;startForegroundService;;;Argument[0];intent-start",
+        "android.content;Context;true;startService;;;Argument[0];intent-start",
+        "android.content;Context;true;startServiceAsUser;;;Argument[0];intent-start",
+        "android.content;Context;true;sendBroadcast;;;Argument[0];intent-start",
+        "android.content;Context;true;sendBroadcastAsUser;;;Argument[0];intent-start",
+        "android.content;Context;true;sendBroadcastWithMultiplePermissions;;;Argument[0];intent-start",
+        "android.content;Context;true;sendStickyBroadcast;;;Argument[0];intent-start",
+        "android.content;Context;true;sendStickyBroadcastAsUser;;;Argument[0];intent-start",
+        "android.content;Context;true;sendStickyOrderedBroadcast;;;Argument[0];intent-start",
+        "android.content;Context;true;sendStickyOrderedBroadcastAsUser;;;Argument[0];intent-start"
+      ]
+  }
+}
+
+/** Default sink for Intent redirection vulnerabilities. */
+private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
+  DefaultIntentRedirectionSink() { sinkNode(this, "intent-start") }
+}
+
+/**
+ * A default sanitizer for nodes dominated by calls to `ComponentName.getPackageName`
+ * or `ComponentName.getClassName`. These are used to check whether the origin or destination
+ * components are trusted.
+ */
+private class DefaultIntentRedirectionSanitizer extends IntentRedirectionSanitizer {
+  DefaultIntentRedirectionSanitizer() {
+    exists(MethodAccess ma, Method m, Guard g, boolean branch |
+      ma.getMethod() = m and
+      m.getDeclaringType() instanceof TypeComponentName and
+      m.hasName(["getPackageName", "getClassName"]) and
+      g.isEquality(ma, _, branch) and
+      g.controls(this.asExpr().getBasicBlock(), branch)
+    )
+  }
+}

java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll

@@ -0,0 +1,115 @@
+/** Provides taint tracking configurations to be used in Android Intent redirection queries. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.DataFlow3
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.security.AndroidIntentRedirection
+
+/**
+ * A taint tracking configuration for tainted Intents being used to start Android components.
+ */
+class IntentRedirectionConfiguration extends TaintTracking::Configuration {
+  IntentRedirectionConfiguration() { this = "IntentRedirectionConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof IntentRedirectionSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/**
+ * A sanitizer for sinks that receive the original incoming Intent,
+ * since its component cannot be arbitrarily set.
+ */
+private class OriginalIntentSanitizer extends IntentRedirectionSanitizer {
+  OriginalIntentSanitizer() { any(SameIntentBeingRelaunchedConfiguration c).hasFlowTo(this) }
+}
+
+/**
+ * Data flow configuration used to discard incoming Intents
+ * flowing directly to sinks that start Android components.
+ */
+private class SameIntentBeingRelaunchedConfiguration extends DataFlow3::Configuration {
+  SameIntentBeingRelaunchedConfiguration() { this = "SameIntentBeingRelaunchedConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
+
+  override predicate isBarrier(DataFlow::Node barrier) {
+    // Don't discard the Intent if its original component is tainted
+    barrier instanceof IntentWithTaintedComponent
+  }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // Intents being built with the copy constructor from the original Intent are discarded too
+    exists(ClassInstanceExpr cie |
+      cie.getConstructedType() instanceof TypeIntent and
+      node1.asExpr() = cie.getArgument(0) and
+      node1.asExpr().getType() instanceof TypeIntent and
+      node2.asExpr() = cie
+    )
+  }
+}
+
+/** An `Intent` with a tainted component. */
+private class IntentWithTaintedComponent extends DataFlow::Node {
+  IntentWithTaintedComponent() {
+    exists(IntentSetComponent setExpr, TaintedIntentComponentConf conf |
+      setExpr.getQualifier() = this.asExpr() and
+      conf.hasFlowTo(DataFlow::exprNode(setExpr.getSink()))
+    )
+  }
+}
+
+/**
+ * A taint tracking configuration for tainted data flowing to an `Intent`'s component.
+ */
+private class TaintedIntentComponentConf extends TaintTracking2::Configuration {
+  TaintedIntentComponentConf() { this = "TaintedIntentComponentConf" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    any(IntentSetComponent setComponent).getSink() = sink.asExpr()
+  }
+}
+
+/** A call to a method that changes the component of an `Intent`. */
+private class IntentSetComponent extends MethodAccess {
+  int sinkArg;
+
+  IntentSetComponent() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.getDeclaringType() instanceof TypeIntent
+    |
+      m.hasName("setClass") and
+      sinkArg = 1
+      or
+      m.hasName("setClassName") and
+      exists(Parameter p |
+        p = m.getAParameter() and
+        p.getType() instanceof TypeString and
+        sinkArg = p.getPosition()
+      )
+      or
+      m.hasName("setComponent") and
+      sinkArg = 0
+      or
+      m.hasName("setPackage") and
+      sinkArg = 0
+    )
+  }
+
+  Expr getSink() { result = this.getArgument(sinkArg) }
+}

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>An exported Android component that obtains a user-provided Intent and uses it to launch another component
+        can be exploited to obtain access to private, unexported components of the same app or to launch other apps' components
+        on behalf of the victim app.</p>
+    </overview>
+    <recommendation>
+        <p>Do not export components that start other components from a user-provided Intent. 
+        They can be made private by setting the <code>android:exported</code> property to <code>false</code> in the app's Android Manifest.</p>
+        <p>If this is not possible, restrict either which apps can send Intents to the affected component, or which components can be started from it.</p>
+    </recommendation>
+    <example>
+        <p>The following snippet contains three examples.
+        In the first example, an arbitrary component can be started from the externally provided <code>forward_intent</code> Intent.
+        In the second example, the destination component of the Intent is first checked to make sure it is safe.
+        In the third example, the component that created the Intent is first checked to make sure it comes from a trusted origin.</p>
+        <sample src="AndroidIntentRedirectionSample.java" />
+    </example>
+    <references>
+        <li>
+            Google:
+            <a href="https://support.google.com/faqs/answer/9267555?hl=en">Remediation for Intent Redirection Vulnerability</a>.
+        </li>
+        <li>
+            OWASP Mobile Security Testing Guide:
+            <a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05a-platform-overview#intents">Intents</a>.
+        </li>
+        <li>
+            Android Developers:
+            <a href="https://developer.android.com/guide/topics/manifest/activity-element#exported">The android:exported attribute</a>.
+        </li>
+    </references>
+</qhelp>

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Android Intent redirection
+ * @description Starting Android components with user-provided Intents
+ *              can provide access to internal components of the application,
+ *              increasing the attack surface and potentially causing unintended effects.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id java/android/intent-redirection
+ * @tags security
+ *       external/cwe/cwe-926
+ *       external/cwe/cwe-940
+ */
+
+import java
+import semmle.code.java.security.AndroidIntentRedirectionQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, IntentRedirectionConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Arbitrary Android activities or services can be started from $@.", source.getNode(),
+  "this user input"

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirectionSample.java

@@ -0,0 +1,18 @@
+// BAD: A user-provided Intent is used to launch an arbitrary component
+Intent forwardIntent = (Intent) getIntent().getParcelableExtra("forward_intent");
+startActivity(forwardIntent);
+
+// GOOD: The destination component is checked before launching it
+Intent forwardIntent = (Intent) getIntent().getParcelableExtra("forward_intent");
+ComponentName destinationComponent = forwardIntent.resolveActivity(getPackageManager());
+if (destinationComponent.getPackageName().equals("safe.package") && 
+    destinationComponent.getClassName().equals("SafeClass")) {
+    startActivity(forwardIntent);
+}
+
+// GOOD: The component that sent the Intent is checked before launching the destination component
+Intent forwardIntent = (Intent) getIntent().getParcelableExtra("forward_intent");
+ComponentName originComponent = getCallingActivity();
+if (originComponent.getPackageName().equals("trusted.package") && originComponent.getClassName().equals("TrustedClass")) {
+    startActivity(forwardIntent);
+}

java/ql/test/library-tests/dataflow/taintsources/IntentSources.java

@@ -29,7 +29,6 @@ public void test3() throws java.io.IOException {
 
 }
 
-
 class OtherClass {
 
 	private static void sink(Object o) {}