SONARXML-236 Rule S7207: Components should be explicitly exported (#337)

Author: antonioaversa

its/ruling/src/test/resources/expected/xml-S7207.json

@@ -0,0 +1,34 @@
+{
+'project:special-cases/android-application/app1/AndroidManifest.xml':[
+11,
+30,
+42,
+54,
+66,
+78,
+90,
+102,
+113,
+124,
+135,
+146,
+157,
+169,
+180,
+191,
+202,
+213,
+224,
+235,
+246,
+257,
+268,
+280,
+293,
+306,
+],
+'project:special-cases/android-application/app3/AndroidManifest.xml':[
+16,
+26,
+],
+}

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/CheckList.java

@@ -29,6 +29,7 @@
 import org.sonar.plugins.xml.checks.maven.PomElementOrderCheck;
 import org.sonar.plugins.xml.checks.security.HardcodedCredentialsCheck;
 import org.sonar.plugins.xml.checks.security.android.AndroidApplicationBackupCheck;
+import org.sonar.plugins.xml.checks.security.android.AndroidComponentWithIntentFilterExportedCheck;
 import org.sonar.plugins.xml.checks.security.android.AndroidCustomPermissionCheck;
 import org.sonar.plugins.xml.checks.security.android.AndroidClearTextCheck;
 import org.sonar.plugins.xml.checks.security.android.AndroidExportedContentPermissionsCheck;
@@ -62,6 +63,7 @@ public static List<Class<?>> getCheckClasses() {
       AndroidClearTextCheck.class,
       AndroidCustomPermissionCheck.class,
       AndroidApplicationBackupCheck.class,
+      AndroidComponentWithIntentFilterExportedCheck.class,
       AndroidExportedContentPermissionsCheck.class,
       AndroidPermissionsCheck.class,
       AndroidProviderPermissionCheck.class,

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/AbstractAndroidManifestCheck.java

@@ -19,9 +19,9 @@
 import org.sonarsource.analyzer.commons.xml.XmlFile;
 import org.sonarsource.analyzer.commons.xml.checks.SimpleXPathBasedCheck;
 
-public abstract class AbstractAndroidManifestCheck extends SimpleXPathBasedCheck {
+import static org.sonar.plugins.xml.checks.security.android.Utils.isAndroidManifestFile;
 
-  private static final String ANDROID_MANIFEST_XML = "AndroidManifest.xml";
+public abstract class AbstractAndroidManifestCheck extends SimpleXPathBasedCheck {
 
   @Override
   public final void scanFile(XmlFile file) {
@@ -32,8 +32,4 @@ public final void scanFile(XmlFile file) {
 
   protected abstract void scanAndroidManifest(XmlFile file);
 
-  public static boolean isAndroidManifestFile(XmlFile file) {
-    return ANDROID_MANIFEST_XML.equalsIgnoreCase(file.getInputFile().filename());
-  }
-
 }

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/AndroidApplicationBackupCheck.java

@@ -25,6 +25,8 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
+import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_XMLNS;
+
 @Rule(key = "S6358")
 public class AndroidApplicationBackupCheck extends AbstractAndroidManifestCheck {
 
@@ -44,12 +46,12 @@ public class AndroidApplicationBackupCheck extends AbstractAndroidManifestCheck
 
   private static final XPathExpression X_PATH_APPLICATION_WITH_BACKUP = XPathBuilder
     .forExpression(APPLICATION_WITH_BACKUP_QUERY)
-    .withNamespace("n", "http://schemas.android.com/apk/res/android")
+    .withNamespace("n", ANDROID_MANIFEST_XMLNS)
     .build();
 
   private static final XPathExpression X_PATH_APPLICATION_BELOW_SDK_23 = XPathBuilder
     .forExpression(APPLICATION_BELOW_SDK_23_QUERY)
-    .withNamespace("n", "http://schemas.android.com/apk/res/android")
+    .withNamespace("n", ANDROID_MANIFEST_XMLNS)
     .build();
 
   @Override

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/AndroidClearTextCheck.java

@@ -25,22 +25,22 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
+import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_XMLNS;
+
 @Rule(key = "S5332")
 public class AndroidClearTextCheck extends AbstractAndroidManifestCheck {
 
   private static final String MESSAGE = "Make sure allowing clear-text traffic is safe here.";
   private static final String MESSAGE_IMPLICIT = "\"usesCleartextTraffic\" is implicitly enabled for older Android versions. " + MESSAGE;
 
-  private static final String ANDROID_NAME_SPACE = "http://schemas.android.com/apk/res/android";
-
   private final XPathExpression xPathClearTextTrue = XPathBuilder
     .forExpression("/manifest/application[@n:usesCleartextTraffic='true']")
-    .withNamespace("n", ANDROID_NAME_SPACE)
+    .withNamespace("n", ANDROID_MANIFEST_XMLNS)
     .build();
 
   private final XPathExpression xPathClearTextImplicit = XPathBuilder
     .forExpression("/manifest/application[not(@n:usesCleartextTraffic)]")
-    .withNamespace("n", ANDROID_NAME_SPACE)
+    .withNamespace("n", ANDROID_MANIFEST_XMLNS)
     .build();
 
   @Override

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/AndroidComponentWithIntentFilterExportedCheck.java

@@ -0,0 +1,52 @@
+/*
+ * SonarQube XML Plugin
+ * Copyright (C) 2010-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.plugins.xml.checks.security.android;
+
+import java.util.Collections;
+import javax.xml.xpath.XPathExpression;
+import org.sonar.check.Rule;
+import org.sonarsource.analyzer.commons.xml.XPathBuilder;
+import org.sonarsource.analyzer.commons.xml.XmlFile;
+import org.w3c.dom.Element;
+
+import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_XMLNS;
+import static org.sonar.plugins.xml.checks.security.android.Utils.isAndroidManifestFile;
+
+@Rule(key = "S7207")
+public class AndroidComponentWithIntentFilterExportedCheck extends AbstractAndroidManifestCheck {
+
+  private static final String MESSAGE = "Mark this component as exported.";
+
+  private final XPathExpression xPathExpression = XPathBuilder
+    .forExpression("/manifest/application/*" +
+      "[" +
+      " (self::activity or self::activity-alias or self::provider or self::receiver or self::service)" +
+      "and" +
+      " (intent-filter)" +
+      "and" +
+      " (not(@n:exported))" +
+      "]")
+    .withNamespace("n", ANDROID_MANIFEST_XMLNS)
+    .build();
+
+  @Override
+  protected void scanAndroidManifest(XmlFile file) {
+    evaluateAsList(xPathExpression, file.getDocument())
+      .forEach(node -> reportIssue(XmlFile.nameLocation((Element) node), MESSAGE, Collections.emptyList()));
+  }
+
+}

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/AndroidCustomPermissionCheck.java

@@ -21,12 +21,14 @@
 import org.sonarsource.analyzer.commons.xml.XPathBuilder;
 import org.sonarsource.analyzer.commons.xml.XmlFile;
 
+import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_XMLNS;
+
 @Rule(key = "S6359")
 public class AndroidCustomPermissionCheck extends AbstractAndroidManifestCheck {
 
   private static final String MESSAGE = "Use a different namespace for the \"%s\" permission.";
   private final XPathExpression xPathExpression = XPathBuilder.forExpression("/manifest/permission/@n1:name")
-    .withNamespace("n1", "http://schemas.android.com/apk/res/android")
+    .withNamespace("n1", ANDROID_MANIFEST_XMLNS)
     .build();
 
   @Override

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/AndroidExportedContentPermissionsCheck.java

@@ -23,6 +23,8 @@
 import org.sonarsource.analyzer.commons.xml.XmlFile;
 import org.w3c.dom.Element;
 
+import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_XMLNS;
+
 @Rule(key = "S5594")
 public class AndroidExportedContentPermissionsCheck extends AbstractAndroidManifestCheck {
 
@@ -44,7 +46,7 @@ public class AndroidExportedContentPermissionsCheck extends AbstractAndroidManif
       "                       or @n:name='android.intent.action.SENDTO'" +
       "                       or @n:name='android.intent.action.SEND_MULTIPLE'])" +
       "]")
-    .withNamespace("n", "http://schemas.android.com/apk/res/android")
+    .withNamespace("n", ANDROID_MANIFEST_XMLNS)
     .build();
 
   @Override

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/AndroidPermissionsCheck.java

@@ -24,12 +24,14 @@
 import org.sonarsource.analyzer.commons.xml.XPathBuilder;
 import org.sonarsource.analyzer.commons.xml.XmlFile;
 
+import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_XMLNS;
+
 @Rule(key = "S5604")
 public class AndroidPermissionsCheck extends AbstractAndroidManifestCheck {
 
   private static final String MESSAGE = "Make sure the use of \"%s\" permission is necessary.";
   private final XPathExpression xPathExpression = XPathBuilder.forExpression("/manifest/uses-permission/@n1:name")
-    .withNamespace("n1", "http://schemas.android.com/apk/res/android")
+    .withNamespace("n1", ANDROID_MANIFEST_XMLNS)
     .build();
 
   private static final Set<String> DANGEROUS_PERMISSIONS = new HashSet<>(Arrays.asList(

sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/AndroidProviderPermissionCheck.java

@@ -28,11 +28,12 @@
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 
+import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_XMLNS;
+
 @Rule(key = "S6361")
 public class AndroidProviderPermissionCheck extends AbstractAndroidManifestCheck {
 
   private static final String MESSAGE = "Make sure using a single permission for read and write is safe here.";
-  private static final String ANDROID_NS = "http://schemas.android.com/apk/res/android";
   private final XPathExpression xPathExpression = XPathBuilder
     .forExpression("/manifest/application/provider" +
       "[" +
@@ -44,7 +45,7 @@ public class AndroidProviderPermissionCheck extends AbstractAndroidManifestCheck
       "or" +
       " (@n:readPermission and @n:writePermission and @n:readPermission = @n:writePermission)" +
       "]")
-    .withNamespace("n", ANDROID_NS)
+    .withNamespace("n", ANDROID_MANIFEST_XMLNS)
     .build();
 
   @Override
@@ -55,7 +56,7 @@ protected final void scanAndroidManifest(XmlFile file) {
         // readPermission and writePermission have priority over permission
         // order matters to handle the case where the 3 are defined and readPermission and writePermission are equal
         final List<Node> nodes = Stream.of("readPermission", "writePermission", "permission")
-          .map(s -> attributes.getNamedItemNS(ANDROID_NS, s))
+          .map(s -> attributes.getNamedItemNS(ANDROID_MANIFEST_XMLNS, s))
           .filter(Objects::nonNull)
           .collect(Collectors.toList());
         reportIssue(