• Home
• io.joern
• querydb_3
• 2.0.183
• source code
• UnprotectedAppParts.scala

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.joern.scanners.android.UnprotectedAppParts.scala Maven / Gradle / Ivy

package io.joern.scanners.android

import io.joern.console.*
import io.joern.dataflowengineoss.language.toExtendedCfgNode
import io.joern.dataflowengineoss.queryengine.EngineContext
import io.joern.dataflowengineoss.semanticsloader.Semantics
import io.joern.macros.QueryMacros.*
import io.joern.scanners.*
import io.shiftleft.semanticcpg.language.*

object UnprotectedAppParts extends QueryBundle {
  implicit val engineContext: EngineContext = EngineContext(Semantics.empty)
  implicit val resolver: ICallResolver      = NoResolve

  @q
  def intentRedirection(): Query =
    Query.make(
      name = "intent-redirection",
      author = Crew.claudiu,
      title = "Intent redirected without validation",
      description = "-",
      score = 4,
      withStrRep { cpg =>
        cpg.method
          .nameExact("getParcelableExtra")
          .callIn
          .code(".*Intent.*")
          .filter { c =>
            def startActivityCalls = cpg.method.nameExact("startActivity").callIn
            def sink               = startActivityCalls.whereNot(_.controlledBy.astParent.isControlStructure).argument
            sink.reachableByFlows(c).nonEmpty
          }
      },
      tags = List(QueryTags.android),
      codeExamples = CodeExamples(
        List("""
            |fun matchingExample1() {
            |    val forwardIntent = intent.getParcelableExtra("very_forward_of_you")
            |    startActivity(forwardIntent)
            |}
            |""".stripMargin),
        List(
          """
            |fun nonMatchingExample1() {
            |    val forwardIntent = intent.getParcelableExtra("very_forward_of_you")
            |    val destinationComponent = forwardIntent!!.resolveActivity(packageManager)
            |    if (destinationComponent.packageName.equals("org.emotet.botnet.safe") &&
            |        destinationComponent.className.equals("TotallySafeClass")) {
            |        startActivity(forwardIntent)
            |    }
            |}
            |""".stripMargin,
          """
            |fun nonMatchingExample2() {
            |    val forwardIntent = intent.getParcelableExtra("very_forward_of_you")
            |    val destinationComponent = forwardIntent!!.resolveActivity(packageManager)
            |    if (destinationComponent.packageName.equals("org.emotet.botnet.safe") &&
            |        destinationComponent.className.equals("TotallySafeClass")) {
            |        startActivity(forwardIntent)
            |    }
            |}
            |""".stripMargin
        )
      )
    )
}