Skip to content

Java: Add query for leaking sensitive data through a ResultReceiver #11713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Feb 1, 2023
Merged

Java: Add query for leaking sensitive data through a ResultReceiver #11713

merged 12 commits into from
Feb 1, 2023

Conversation

joefarebrother
Copy link
Contributor

Part of CWE-927.

Covers cases in which a ResultReceiver is obtained from some untrusted source, and then sensitive data is sent through it.

@github-actions github-actions bot added the Java label Dec 15, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 15, 2022
View reviewed changes
java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll
Comment on lines +47 to +49
super.allowImplicitRead(node, c)
or
this.isSink(node)

Check warning

Code scanning / CodeQL

Var only used in one side of disjunct.

The [variable c](1) is only used in one side of disjunct.
@joefarebrother joefarebrother force-pushed the sensitive-result-receiver branch from 5ec4f52 to 1dc9fa2 Compare January 6, 2023 17:24
@github-actions
Copy link
Contributor

github-actions bot commented Jan 11, 2023
edited
Loading

QHelp previews:

java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.qhelp

Leaking sensitive information through a ResultReceiver

If a ResultReceiver is obtained from an untrusted source, such as an Intent received by an exported component, do not send it sensitive data. Otherwise, the information may be leaked to a malicious application.

Recommendation

Do not send sensitive data to an untrusted ResultReceiver.

Example

In the following (bad) example, sensitive data is sent to an untrusted ResultReceiver.

// BAD: Sensitive data is sent to an untrusted result receiver 
void bad(String password) {
    Intent intent = getIntent();
    ResultReceiver rec = intent.getParcelableExtra("Receiver");
    Bundle b = new Bundle();
    b.putCharSequence("pass", password);
    rec.send(0, b); 
}

References

  • Common Weakness Enumeration: CWE-927.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 11, 2023
View reviewed changes
@joefarebrother joefarebrother changed the title [Draft] Java: Add query for leaking sensitive data through a ResultReceiver Java: Add query for leaking sensitive data through a ResultReceiver Jan 12, 2023
@joefarebrother joefarebrother force-pushed the sensitive-result-receiver branch from 1caa60d to e12febf Compare January 12, 2023 11:45
@joefarebrother joefarebrother marked this pull request as ready for review January 12, 2023 11:45
@joefarebrother joefarebrother requested a review from a team as a code owner January 12, 2023 11:45
atorralba
atorralba reviewed Jan 16, 2023
View reviewed changes
@atorralba
Copy link
Contributor

I think this is ready for docs review 👍

@joefarebrother joefarebrother added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Jan 27, 2023
sabrowning1
sabrowning1 reviewed Jan 31, 2023
View reviewed changes
Copy link
Contributor

@sabrowning1 sabrowning1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joefarebrother, hi from Docs 👋🏼 I've just suggested a couple small changes below, then this is looking good 👍🏼 thanks for your work on the documentation!

@joefarebrother @sabrowning1
Apply suggestions from docs review
74dba95 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
atorralba
atorralba reviewed Feb 1, 2023
View reviewed changes
sabrowning1
sabrowning1 previously approved these changes Feb 1, 2023
View reviewed changes
Copy link
Contributor

@sabrowning1 sabrowning1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making those changes @joefarebrother! Once @atorralba's updated the wording in that .ql file, this is good to go for docs 🚀

atorralba
atorralba approved these changes Feb 1, 2023
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

@joefarebrother joefarebrother merged commit 97b2e85 into github:main Feb 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sabrowning1 sabrowning1 sabrowning1 left review comments

+1 more reviewer

@atorralba atorralba atorralba approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
documentation Java ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joefarebrother @atorralba @sabrowning1