Checker UseOfUncontrolledExternalData

belongs to group Basic
Identify potential dangerous information flows in Android applications

Frameworks supported by this checker

  • android up to API level 28

Warnings generated by this checker

  • AllowAllFragmentsWarning: an unsafe method is used for fragment validation [ CWE287 ]
  • ExternalDataInVulnerableMethodWarning: tainted external data might flow into vulnerable point [ CWE74 ]
  • FragmentInjectionWarning: tainted data might flow into a fragment execution, unvalidated [ CWE470 ]
  • ShouldBeOverriddenIsValidFragmentMethodWarning: isValidFragment() should be overridden [ CWE74 ]

Options accepted by this checker

  • allowCheckWithoutAndroidManifest: allow check without manifest
    The analysis use the android manifest information to inferrer warnings, enabling this option is considered the worst case

Annotations understood by this checker

  • none


Description

The UseOfUncontrolledExternalData checker is dedicated to the analysis of Android applications. The UseOfUncontrolledExternalData checker is able to produce a warning when unsafe external data are used, without a correctly check, in vulnerable methods.


Examples

Consider the following classes:

package com.juliasoft.julia.tests.checks.useOfUncontrolledExternalData;

import android.app.Fragment;
import android.app.FragmentTransaction;
import android.os.Bundle;
import android.preference.PreferenceActivity;
import android.webkit.WebView;

public class UncontrolledFragment1 extends PreferenceActivity
{
	  WebView mWebView;
	  
	  protected void onCreate(Bundle savedInstanceState) {
		          super.onCreate(savedInstanceState);
		          final String initialFragment = getIntent().getStringExtra(EXTRA_SHOW_FRAGMENT);
		          final Fragment f = Fragment.instantiate(this, initialFragment, null);
		          final FragmentTransaction transaction = getFragmentManager().beginTransaction();
		          transaction.setTransition(FragmentTransaction.TRANSIT_FRAGMENT_FADE);
		          transaction.replace(11, f);
		          transaction.commitAllowingStateLoss();
	  }
}
package com.juliasoft.julia.tests.checks.useOfUncontrolledExternalData;

import android.app.Fragment;
import android.app.FragmentTransaction;
import android.os.Bundle;
import android.preference.PreferenceActivity;
import android.webkit.WebView;

public class UncontrolledFragment2 extends PreferenceActivity
{
	  WebView mWebView;
	  
	  protected void onCreate(Bundle savedInstanceState) {
		          super.onCreate(savedInstanceState);

		          final String initialFragment = getIntent().getStringExtra(EXTRA_SHOW_FRAGMENT);
		          if(isValidFragment(initialFragment)) {
			          final Fragment f = Fragment.instantiate(this, initialFragment, null);
			          final FragmentTransaction transaction = getFragmentManager().beginTransaction();
			          transaction.setTransition(FragmentTransaction.TRANSIT_FRAGMENT_FADE);
			          transaction.replace(11, f);
			          transaction.commitAllowingStateLoss();
		          }
	  }

	@Override
	protected boolean isValidFragment(String fragmentName) {
		
		return true;
	}
}

This checker issues the following warnings:

UncontrolledFragment1.java:9: [UseOfUncontrolledExternalData: ShouldBeOverriddenIsValidFragmentMethodWarning] The class com.juliasoft.julia.tests.checks.useOfUncontrolledExternalData.UncontrolledFragment1 should override of the method "isValidFragment" with a a safe implementation
UncontrolledFragment1.java:20: [UseOfUncontrolledExternalData: FragmentInjectionWarning] Possible Fragment-injection from line 15 into method "commitAllowingStateLoss"
UncontrolledFragment2.java:29: [UseOfUncontrolledExternalData: AllowAllFragmentsWarning] Method "isValidFragment" always returns true and therefore is not safe fragment validation

The warnings are all relative to external fragments and their validation. The external fragments without or with a wrong validation could lead to security issues. As described in the Android Api, the PreferenceActivity's subclasses should override the method isValidFragment() and verify that the given fragment is a valid type to be attached to this activity.

Consider the following code:

package com.juliasoft.julia.tests.checks.useOfUncontrolledExternalData;

import android.app.Activity;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;

import android.webkit.WebView;

public class UncontrolledActivity extends Activity
{
	  WebView mWebView;
	  
	  protected void onCreate(Bundle paramBundle)
	  {
	    super.onCreate(paramBundle);
	    
	    BroadcastReceiver receiver = new BroadcastReceiver() {
	    	   public void onReceive(Context arg0, Intent intent) {
	    	     String s = intent.getStringExtra("url");
	    	     Intent i = new Intent(Intent.ACTION_VIEW);
	    	     i = i.setAction(s);
	    	     startActivity(i);
	    	   }
	    	 };
	  }
}

This checker issues the following warnings:

UncontrolledActivity.java:25: [UseOfUncontrolledExternalData: ExternalDataInVulnerableMethodWarning] Possible use of external data in actual parameter "intent" of method "startActivity"

The warning is relative to external intent and its data. An external intent with external data could lead to security issues, because could be executed activity with untrusted data.