Java: Add query for Improper Verification of Intent by Broadcast Receiver (CWE-925) #8669
Conversation
joefarebrother
force-pushed
the
intent-verification
branch
from
848309f to
9cbc4be
Compare
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Outdated
Show resolved
Hide resolved
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Outdated
Show resolved
Hide resolved
joefarebrother
force-pushed
the
intent-verification
branch
from
9950f57 to
f317ebf
Compare
|
This is mostly looking good to me. I think we need FP ratio and performance evaluations before merging though. |
joefarebrother
force-pushed
the
intent-verification
branch
from
f317ebf to
e2cf7cc
Compare
|
After experimenting a little with real world results, it seems that this vulnerability cannot be exploited through dynamically registered receivers (i.e. using So, I think we should restrict the query to only check statically registered receivers (i.e. through the Android manifest). I guess we could also handle dynamically registered receivers that have a filter for both a privileged action and an unprivileged action, but I'd say this is a pretty rare case and the chances of the receiver actually doing something sensitive would drop significantly. So I'll leave up to you to decide whether you want to handle that case — otherwise, we should just remove everything related to |
atorralba
added
the
ready-for-doc-review
There was a problem hiding this comment.
@joefarebrother 👋🏻 - this LGTM, I've made a few comments and suggestions for your consideration.
Would be great if you could correct the typo, and reword the query description. Hope this helps 🙂
| @@ -0,0 +1,19 @@ | |||
| /** | |||
| * @name Improper Verification of Intent by Broadcast Receiver | |||
| * @description The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source. | |||
There was a problem hiding this comment.
Same comment here, unless you absolutely need to use capitalization (like in Android).
Also, this is not the preferred syntax for a description ("Syntax X causes behavior Y."). Could you reword and remove the capitalization?
java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.qhelp
Outdated
Show resolved
Hide resolved
| <overview> | ||
| <p> | ||
| When an android application uses a <code>BroadcastReciever</code> to receive intents, | ||
| it is also able to receive explicit intents that are sent directly to it, regardless of its filter. |
There was a problem hiding this comment.
What does the its pronoun refer to here, the app or the BroadcastReceiver (sorry, not a developer)?
There was a problem hiding this comment.
It refers to the BroadcastReceiver
|
|
||
| Certain intent actions are only able to be sent by the operating system, not third-party applications. | ||
| However, a <code>BroadcastReceiver</code> that is registered to receive system intents is still able to receive | ||
| other intents from a third-party application, so it should check that the intent received has the expected action. |
There was a problem hiding this comment.
Not required?
| other intents from a third-party application, so it should check that the intent received has the expected action. | |
| intents from a third-party application, so it should check that the intent received has the expected action. |
…vate Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
fix typos and capitilisation; reword description.
joefarebrother
force-pushed
the
intent-verification
branch
from
4717d32 to
a6736a9
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
No description provided.