Merge pull request #4512 from luchua-bc/sensitive-broadcast

aschackmull · web-flow · commit 22b4df0f3c2a · 2020-11-04T10:47:48.000+01:00
Java: Sensitive broadcast
diff --git a/java/ql/src/experimental/Security/CWE/CWE-532/SensitiveInfoLog.ql b/java/ql/src/experimental/Security/CWE/CWE-532/SensitiveInfoLog.ql
@@ -9,21 +9,21 @@
 
 import java
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.SensitiveActions
 import DataFlow
 import PathGraph
 
 /**
- * Gets a regular expression for matching names of variables that indicate the value being held is a credential
+ * Gets a regular expression for matching names of variables that indicate the value being held may contain sensitive information
  */
-private string getACredentialRegex() {
-  result = "(?i).*challenge|pass(wd|word|code|phrase)(?!.*question).*" or
-  result = "(?i)(.*username|.*secret|url).*"
-}
+private string getACredentialRegex() { result = "(?i)(.*username|url).*" }
 
 /** Variable keeps sensitive information judging by its name * */
 class CredentialExpr extends Expr {
   CredentialExpr() {
-    exists(Variable v | this = v.getAnAccess() | v.getName().regexpMatch(getACredentialRegex()))
+    exists(Variable v | this = v.getAnAccess() |
+      v.getName().regexpMatch([getCommonSensitiveInfoRegex(), getACredentialRegex()])
+    )
   }
 }
 
diff --git a/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.java b/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.java
@@ -0,0 +1,30 @@
+public void sendBroadcast1(Context context, String token, String refreshToken) 
+{
+    {
+        // BAD: broadcast sensitive information to all listeners
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("token", token);
+        intent.putExtra("refreshToken", refreshToken);
+        context.sendBroadcast(intent);
+    }
+
+    {
+        // GOOD: broadcast sensitive information only to those with permission
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.putExtra("token", token);
+        intent.putExtra("refreshToken", refreshToken);
+        context.sendBroadcast(intent, "com.example.user_permission");
+    }
+
+    {
+        // GOOD: broadcast sensitive information to a specific application
+        Intent intent = new Intent();
+        intent.setAction("com.example.custom_action");
+        intent.setClassName("com.example2", "com.example2.UserInfoHandler");
+        intent.putExtra("token", token);
+        intent.putExtra("refreshToken", refreshToken);
+        context.sendBroadcast(intent);
+    }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.qhelp b/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.qhelp
@@ -0,0 +1,50 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Broadcast intents in an Android application are visible to all applications installed on the same mobile device, exposing all sensitive information they contain.</p>
+    <p>Broadcasts are vulnerable to passive eavesdropping or active denial of service attacks when an intent is broadcast without specifying any receiver permission or receiver application.</p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Specify a receiver permission or application when broadcasting intents, or switch to
+      <code>LocalBroadcastManager</code>
+      or the latest
+      <code>LiveData</code>
+      library.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>The following example shows two ways of broadcasting intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.</p>
+    <sample src="SensitiveBroadcast.java" />
+  </example>
+
+  <references>
+    <li>
+      CWE:
+      <a href="https://cwe.mitre.org/data/definitions/927.html">CWE-927: Use of Implicit Intent for Sensitive Communication</a>
+    </li>
+    <li>
+      Android Developers:
+      <a href="https://developer.android.com/guide/components/broadcasts">Security considerations and best practices for sending and receiving broadcasts</a>
+    </li>
+    <li>
+      SonarSource:
+      <a href="https://rules.sonarsource.com/java/type/Security%20Hotspot/RSPEC-5320">Broadcasting intents is security-sensitive</a>
+    </li>
+    <li>
+      Android Developer Fundamentals:
+      <a href="https://google-developer-training.github.io/android-developer-fundamentals-course-concepts-v2/unit-3-working-in-the-background/lesson-7-background-tasks/7-3-c-broadcasts/7-3-c-broadcasts.html">Restricting broadcasts</a>
+    </li>
+    <li>
+      Carnegie Mellon University:
+      <a href="https://wiki.sei.cmu.edu/confluence/display/android/DRD03-J.+Do+not+broadcast+sensitive+information+using+an+implicit+intent">DRD03-J. Do not broadcast sensitive information using an implicit intent</a>
+    </li>
+    <li>
+      Android Developers:
+      <a href="https://developer.android.com/topic/libraries/architecture/livedata">Android LiveData Overview</a>
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.ql b/java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.ql
@@ -0,0 +1,171 @@
+/**
+ * @name Broadcasting sensitive data to all Android applications
+ * @id java/sensitive-broadcast
+ * @description An Android application uses implicit intents to broadcast sensitive data to all applications without specifying any receiver permission.
+ * @kind path-problem
+ * @tags security
+ *       external/cwe-927
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow3
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.android.Intent
+import semmle.code.java.security.SensitiveActions
+import DataFlow::PathGraph
+
+/**
+ * Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information.
+ */
+private string getAndroidSensitiveInfoRegex() { result = "(?i).*(email|phone|ticket).*" }
+
+/**
+ * Method call to pass information to the `Intent` object.
+ */
+class PutIntentExtraMethodAccess extends MethodAccess {
+  PutIntentExtraMethodAccess() {
+    (
+      getMethod().getName().matches("put%Extra") or
+      getMethod().hasName("putExtras")
+    ) and
+    getMethod().getDeclaringType() instanceof TypeIntent
+  }
+}
+
+/**
+ * Method call to pass information to the intent extra bundle object.
+ */
+class PutBundleExtraMethodAccess extends MethodAccess {
+  PutBundleExtraMethodAccess() {
+    getMethod().getName().regexpMatch("put\\w+") and
+    getMethod().getDeclaringType().getASupertype*().hasQualifiedName("android.os", "BaseBundle")
+  }
+}
+
+/** Finds variables that hold sensitive information judging by their names. */
+class SensitiveInfoExpr extends Expr {
+  SensitiveInfoExpr() {
+    exists(Variable v | this = v.getAnAccess() |
+      v.getName().regexpMatch([getCommonSensitiveInfoRegex(), getAndroidSensitiveInfoRegex()])
+    )
+  }
+}
+
+/**
+ * A method access of the `Context.sendBroadcast` family.
+ */
+class SendBroadcastMethodAccess extends MethodAccess {
+  SendBroadcastMethodAccess() {
+    this.getMethod().getDeclaringType() instanceof TypeContext and
+    this.getMethod().getName().matches("send%Broadcast%")
+  }
+}
+
+private class NullArgFlowConfig extends DataFlow2::Configuration {
+  NullArgFlowConfig() { this = "Flow configuration with a null argument" }
+
+  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof NullLiteral }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(SendBroadcastMethodAccess ma | sink.asExpr() = ma.getAnArgument())
+  }
+}
+
+private class EmptyArrayArgFlowConfig extends DataFlow3::Configuration {
+  EmptyArrayArgFlowConfig() { this = "Flow configuration with an empty array argument" }
+
+  override predicate isSource(DataFlow::Node src) {
+    src.asExpr().(ArrayCreationExpr).getFirstDimensionSize() = 0
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(SendBroadcastMethodAccess ma | sink.asExpr() = ma.getAnArgument())
+  }
+}
+
+/**
+ * Holds if a `sendBroadcast` call doesn't specify receiver permission.
+ */
+predicate isSensitiveBroadcastSink(DataFlow::Node sink) {
+  exists(SendBroadcastMethodAccess ma |
+    sink.asExpr() = ma.getAnArgument() and
+    (
+      ma.getMethod().hasName("sendBroadcast") and
+      (
+        ma.getNumArgument() = 1 // sendBroadcast(Intent intent)
+        or
+        // sendBroadcast(Intent intent, String receiverPermission)
+        exists(NullArgFlowConfig conf | conf.hasFlow(_, DataFlow::exprNode(ma.getArgument(1))))
+      )
+      or
+      ma.getMethod().hasName("sendBroadcastAsUser") and
+      (
+        ma.getNumArgument() = 2 or // sendBroadcastAsUser(Intent intent, UserHandle user)
+        exists(NullArgFlowConfig conf | conf.hasFlow(_, DataFlow::exprNode(ma.getArgument(2)))) // sendBroadcastAsUser(Intent intent, UserHandle user, String receiverPermission)
+      )
+      or
+      ma.getMethod().hasName("sendBroadcastWithMultiplePermissions") and
+      exists(EmptyArrayArgFlowConfig config |
+        config.hasFlow(_, DataFlow::exprNode(ma.getArgument(1))) // sendBroadcastWithMultiplePermissions(Intent intent, String[] receiverPermissions)
+      )
+      or
+      // Method calls of `sendOrderedBroadcast` whose second argument is always `receiverPermission`
+      ma.getMethod().hasName("sendOrderedBroadcast") and
+      (
+        // sendOrderedBroadcast(Intent intent, String receiverPermission) or sendOrderedBroadcast(Intent intent, String receiverPermission, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)
+        exists(NullArgFlowConfig conf | conf.hasFlow(_, DataFlow::exprNode(ma.getArgument(1)))) and
+        ma.getNumArgument() <= 7
+        or
+        // sendOrderedBroadcast(Intent intent, String receiverPermission, String receiverAppOp, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)
+        exists(NullArgFlowConfig conf | conf.hasFlow(_, DataFlow::exprNode(ma.getArgument(1)))) and
+        exists(NullArgFlowConfig conf | conf.hasFlow(_, DataFlow::exprNode(ma.getArgument(2)))) and
+        ma.getNumArgument() = 8
+      )
+      or
+      // Method call of `sendOrderedBroadcastAsUser(Intent intent, UserHandle user, String receiverPermission, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)`
+      ma.getMethod().hasName("sendOrderedBroadcastAsUser") and
+      exists(NullArgFlowConfig conf | conf.hasFlow(_, DataFlow::exprNode(ma.getArgument(2))))
+    )
+  )
+}
+
+/**
+ * Taint configuration tracking flow from variables containing sensitive information to broadcast intents.
+ */
+class SensitiveBroadcastConfig extends TaintTracking::Configuration {
+  SensitiveBroadcastConfig() { this = "Sensitive Broadcast Configuration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof SensitiveInfoExpr
+  }
+
+  override predicate isSink(DataFlow::Node sink) { isSensitiveBroadcastSink(sink) }
+
+  /**
+   * Holds if there is an additional flow step from `PutIntentExtraMethodAccess` or `PutBundleExtraMethodAccess` that taints the `Intent` or its extras `Bundle`.
+   */
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(PutIntentExtraMethodAccess pia |
+      node1.asExpr() = pia.getAnArgument() and node2.asExpr() = pia.getQualifier()
+    )
+    or
+    exists(PutBundleExtraMethodAccess pba |
+      node1.asExpr() = pba.getAnArgument() and node2.asExpr() = pba.getQualifier()
+    )
+  }
+
+  /**
+   * Holds if broadcast doesn't specify receiving package name of the 3rd party app
+   */
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(MethodAccess setReceiverMa |
+      setReceiverMa.getMethod().hasName(["setPackage", "setClass", "setClassName", "setComponent"]) and
+      setReceiverMa.getQualifier().(VarAccess).getVariable().getAnAccess() = node.asExpr()
+    )
+  }
+}
+
+from SensitiveBroadcastConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Sending $@ to broadcast.", source.getNode(),
+  "sensitive information"
diff --git a/java/ql/src/semmle/code/java/security/SensitiveActions.qll b/java/ql/src/semmle/code/java/security/SensitiveActions.qll
@@ -27,6 +27,14 @@ private string nonSuspicious() {
   result = "%crypt%"
 }
 
+/**
+ * Gets a regular expression for matching common names of variables that indicate the value being held contains sensitive information.
+ */
+string getCommonSensitiveInfoRegex() {
+  result = "(?i).*challenge|pass(wd|word|code|phrase)(?!.*question).*" or
+  result = "(?i).*(token|secret).*"
+}
+
 /** An expression that might contain sensitive data. */
 abstract class SensitiveExpr extends Expr { }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
@@ -0,0 +1,34 @@
+edges
+| SensitiveBroadcast.java:12:34:12:38 | token : String | SensitiveBroadcast.java:14:31:14:36 | intent |
+| SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent |
+| SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent |
+| SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent |
+| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:52:31:52:36 | intent |
+| SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent |
+| SensitiveBroadcast.java:109:32:109:39 | passcode : String | SensitiveBroadcast.java:111:54:111:59 | intent |
+| SensitiveBroadcast.java:136:33:136:38 | passwd : String | SensitiveBroadcast.java:140:54:140:59 | intent |
+nodes
+| SensitiveBroadcast.java:12:34:12:38 | token : String | semmle.label | token : String |
+| SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | semmle.label | refreshToken : String |
+| SensitiveBroadcast.java:14:31:14:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:25:32:25:39 | password : String | semmle.label | password : String |
+| SensitiveBroadcast.java:26:31:26:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:36:35:36:39 | email : String | semmle.label | email : String |
+| SensitiveBroadcast.java:38:31:38:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:50:22:50:29 | password : String | semmle.label | password : String |
+| SensitiveBroadcast.java:52:31:52:36 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:97:35:97:40 | ticket : String | semmle.label | ticket : String |
+| SensitiveBroadcast.java:98:54:98:59 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:109:32:109:39 | passcode : String | semmle.label | passcode : String |
+| SensitiveBroadcast.java:111:54:111:59 | intent | semmle.label | intent |
+| SensitiveBroadcast.java:136:33:136:38 | passwd : String | semmle.label | passwd : String |
+| SensitiveBroadcast.java:140:54:140:59 | intent | semmle.label | intent |
+#select
+| SensitiveBroadcast.java:14:31:14:36 | intent | SensitiveBroadcast.java:12:34:12:38 | token : String | SensitiveBroadcast.java:14:31:14:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:12:34:12:38 | token | sensitive information |
+| SensitiveBroadcast.java:14:31:14:36 | intent | SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:13:41:13:52 | refreshToken | sensitive information |
+| SensitiveBroadcast.java:26:31:26:36 | intent | SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:25:32:25:39 | password | sensitive information |
+| SensitiveBroadcast.java:38:31:38:36 | intent | SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:36:35:36:39 | email | sensitive information |
+| SensitiveBroadcast.java:52:31:52:36 | intent | SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:52:31:52:36 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:50:22:50:29 | password | sensitive information |
+| SensitiveBroadcast.java:98:54:98:59 | intent | SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:97:35:97:40 | ticket | sensitive information |
+| SensitiveBroadcast.java:111:54:111:59 | intent | SensitiveBroadcast.java:109:32:109:39 | passcode : String | SensitiveBroadcast.java:111:54:111:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:109:32:109:39 | passcode | sensitive information |
+| SensitiveBroadcast.java:140:54:140:59 | intent | SensitiveBroadcast.java:136:33:136:38 | passwd : String | SensitiveBroadcast.java:140:54:140:59 | intent | Sending $@ to broadcast. | SensitiveBroadcast.java:136:33:136:38 | passwd | sensitive information |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.java b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.java
diff --git a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.qlref b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.qlref
diff --git a/java/ql/test/experimental/query-tests/security/CWE-927/options b/java/ql/test/experimental/query-tests/security/CWE-927/options
