first draft of query and tests

Jami Cogswell · Jami Cogswell · commit 8d5bbc458f13 · 2022-08-22T12:41:22.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql b/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
@@ -1,10 +1,10 @@
 /**
- * @name Implicitly imported Android component
+ * @name Implicitly exported Android component
  * @description TODO after more background reading
- * @kind problem (TODO: confirm after more background reading)
+ * @kind problem
  * @problem.severity warning (TODO: confirm after more background reading)
  * @security-severity 0.1 (TODO: run script)
- * @id java/android/implicitly-imported-component
+ * @id java/android/implicitly-exported-component
  * @tags security
  *       external/cwe/cwe-926
  * @precision TODO after MRVA
@@ -13,10 +13,16 @@
 import java
 import semmle.code.xml.AndroidManifest
 
-// TODO: change query
-from AndroidXmlAttribute androidXmlAttr
+from AndroidComponentXmlElement compElem
 where
-  androidXmlAttr.getName() = "debuggable" and
-  androidXmlAttr.getValue() = "true" and
-  not androidXmlAttr.getLocation().getFile().getRelativePath().matches("%build%")
-select androidXmlAttr, "The 'android:debuggable' attribute is enabled."
+  not compElem.hasAttribute("exported") and
+  compElem.getAChild().hasName("intent-filter") and
+  not compElem.hasAttribute("permission") and
+  not compElem
+      .getAnIntentFilterElement()
+      .getAnActionElement()
+      .getActionName()
+      .matches("android.intent.action.%") and // filter out anything that is android intent (e.g. don't just filter out MAIN) because I think those are fine (but need to look at docs to confirm)
+  //not compElem.getAnIntentFilterElement().getAnActionElement().getActionName() = "android.intent.category.LAUNCHER" and // I should add this as well, but above will techincally filter out since they always seem to occur together
+  not compElem.getFile().getRelativePath().matches("%build%") // switch to not isInBuildDirectory() once new predicate is merged into main
+select compElem, "This component is implicitly exported."
diff --git a/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-926/AndroidManifest.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    package="com.example.happybirthday">
+
+    <application
+        android:allowBackup="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.HappyBirthday"
+        tools:targetApi="31">  <!-- test -->
+        <!-- $ hasImplicitExport --> <activity
+            android:name=".MainActivity">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application> <!-- test -->
+
+</manifest>
diff --git a/java/ql/test/query-tests/security/CWE-926/ImplicitlyExportedAndroidComponentTest.ql b/java/ql/test/query-tests/security/CWE-926/ImplicitlyExportedAndroidComponentTest.ql
@@ -2,21 +2,20 @@ import java
 import semmle.code.xml.AndroidManifest
 import TestUtilities.InlineExpectationsTest
 
-// TODO: update for implicit export query
-class DebuggableAttributeTrueTest extends InlineExpectationsTest {
-  DebuggableAttributeTrueTest() { this = "DebuggableAttributeEnabledTest" }
+class ImplicitlyExportedAndroidComponentTest extends InlineExpectationsTest {
+  ImplicitlyExportedAndroidComponentTest() { this = "ImplicitlyExportedAndroidComponentTest" }
 
-  override string getARelevantTag() { result = "hasDebuggableAttributeEnabled" }
+  override string getARelevantTag() { result = "hasImplicitExport" }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasDebuggableAttributeEnabled" and
-    exists(AndroidXmlAttribute androidXmlAttr |
-      androidXmlAttr.getName() = "debuggable" and
-      androidXmlAttr.getValue() = "true" and
-      not androidXmlAttr.getLocation().getFile().getRelativePath().matches("%build%")
+    tag = "hasImplicitExport" and
+    exists(AndroidComponentXmlElement compElem, AndroidIntentFilterXmlElement intFiltElem |
+      not compElem.hasAttribute("exported") and
+      //compElem.getAnIntentFilterElement() instanceof AndroidIntentFilterXmlElement
+      not intFiltElem.getParent() = compElem
     |
-      androidXmlAttr.getLocation() = location and
-      element = androidXmlAttr.toString() and
+      compElem.getLocation() = location and
+      element = compElem.toString() and
       value = ""
     )
   }
