Android Manifest Incomplete provider permissions initial commit

egregius313 · egregius313 · commit 00891fa45518 · 2022-09-19T10:31:02.000-04:00
Initial work on checking provider elements in Android manifests for
complete permissions.
diff --git a/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissions.ql b/java/ql/src/Security/CWE/CWE-276/ContentProviderIncompletePermissions.ql
@@ -0,0 +1,23 @@
+/**
+ * @name Missing read or write permission configuration
+ * @description Defining an incomplete set of permissions
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.8
+ * @id java/android/incomplete-provider-permissions
+ * @tags security
+ *       external/cwe/cwe-276
+ * @precision medium
+ */
+
+import java
+import semmle.code.xml.AndroidManifest
+
+from AndroidProviderXmlElement provider
+where
+  (
+    provider.getAnAttribute().(AndroidPermissionXmlAttribute).isWrite() or
+    provider.getAnAttribute().(AndroidPermissionXmlAttribute).isRead()
+  ) and
+  not provider.requiresPermissions()
+select provider, "Incomplete permissions"
