Skip to content

MASWE-0064: Replace placeholder with complete Content Provider weakness entry#174

Open
sushi2k with Copilot wants to merge 15 commits into
mainfrom
copilot/maswer-0064-update-content-provider
Open

MASWE-0064: Replace placeholder with complete Content Provider weakness entry#174
sushi2k with Copilot wants to merge 15 commits into
mainfrom
copilot/maswer-0064-update-content-provider

Conversation

Copilot AI commented Apr 18, 2026

Copy link
Copy Markdown

This updates MASWE-0064 from placeholder metadata to a complete MASWE weakness page for insecure Android content provider usage, aligned with repository authoring rules and the provided Android references. The content explicitly excludes Dirty Stream-specific coverage.

  • Scope and metadata alignment

    • Converted the entry to a full status: new weakness page.
    • Removed placeholder draft scaffolding.
    • Added android-risks mappings for:
      • .../risks/content-resolver
      • .../risks/untrustworthy-contentprovider-provided-filename
    • Refreshed refs to focus on stable, relevant Android content provider documentation.
  • Required MASWE structure

    • Added all mandated top-level sections in the required order:
      • ## Overview
      • ## Modes of Introduction
      • ## Impact
      • ## Mitigations
    • Rewrote content in platform-appropriate, developer-facing language per MASWE style constraints.
  • Content focus changes

    • Clarified trust-boundary failures on both sides of provider interactions:
      • insecure provider exposure/authorization
      • unsafe consumer trust in provider-returned metadata
    • Added concrete introduction modes (export/permission misconfig, missing runtime checks, unsafe file handling, SDK/plugin defaults).
    • Added concrete impact outcomes (unauthorized read/write, path traversal/arbitrary write vectors, downstream exfiltration/tampering).
    • Added imperative mitigations (least-privilege exposure, runtime authorization checks, URI/input validation, untrusted metadata handling, constrained/canonicalized file paths).
mappings:
  masvs-v2: [MASVS-PLATFORM-1, MASVS-STORAGE-1]
  cwe: [20, 73, 926]
  android-risks:
    - https://developer.android.com/privacy-and-security/risks/content-resolver
    - https://developer.android.com/privacy-and-security/risks/untrustworthy-contentprovider-provided-filename
status: new

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • developer.android.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 18, 2026 that may be closed by this pull request
Copilot AI and others added 7 commits April 18, 2026 11:18
Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114

Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OWASP/maswe/sessions/60e57da0-f8a2-41f0-b8b9-1bddf14e4114

Co-authored-by: sushi2k <5951320+sushi2k@users.noreply.github.com>
Copilot AI changed the title [WIP] Update MASWE for content providers MASWE-0064: Replace placeholder with complete Content Provider weakness entry Apr 18, 2026
Copilot AI requested a review from sushi2k April 18, 2026 11:22
@sushi2k sushi2k marked this pull request as ready for review May 4, 2026 06:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the placeholder content for MASWE-0064 with a full weakness entry describing insecure Android ContentProvider / FileProvider usage, structured per MASWE’s required section layout and intended to align with Android security guidance.

Changes:

  • Converts MASWE-0064 from placeholder scaffolding to a complete weakness page with the required sections (Overview, Modes of Introduction, Impact, Mitigations).
  • Adds/updates mappings and references intended to point to relevant Android documentation.
  • Introduces mitigation guidance around export controls, permission scoping, and safer file/URI handling.

Comment thread weaknesses/MASVS-PLATFORM/MASWE-0064.md
Comment thread weaknesses/MASVS-PLATFORM/MASWE-0064.md
Comment thread weaknesses/MASVS-PLATFORM/MASWE-0064.md Outdated
sushi2k and others added 2 commits June 3, 2026 10:33
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Update: MASWE-0064 - Content Provider

3 participants