Improve sanitizers

2026-04-30 11:15:13 +02:00 · 2021-10-11 14:34:44 +01:00
parent 174ac3d6c3
commit 069d6627b5
1 changed files with 27 additions and 3 deletions
--- a/java/ql/lib/semmle/code/java/security/AndroidSensitiveBroadcastQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidSensitiveBroadcastQuery.qll
@@ -111,6 +111,31 @@ private predicate isSensitiveBroadcastSink(DataFlow::Node sink) {
  )
 }

+predicate isCleanIntent(Expr intent) {
+  intent.getType() instanceof TypeIntent and
+  (
+    exists(MethodAccess setRecieverMa |
+      setRecieverMa.getQualifier() = intent and
+      setRecieverMa.getMethod().hasName(["setPackage", "setClass", "setClassName", "setComponent"])
+    )
+    or
+    // Handle the cases where the PackageContext and Class are set at construction time
+    //    Intent(Context packageContext, Class<?> cls)
+    //    Intent(String action, Uri uri, Context packageContext, Class<?> cls)
+    exists(ConstructorCall cc | cc = intent |
+      cc.getConstructedType() instanceof TypeIntent and
+      cc.getNumArgument() > 1 and
+      (
+        cc.getArgument(0).getType() instanceof TypeContext and
+        not isNullArg(cc.getArgument(1))
+        or
+        cc.getArgument(2).getType() instanceof TypeContext and
+        not isNullArg(cc.getArgument(3))
+      )
+    )
+  )
+}
+
 /**
 * Taint configuration tracking flow from variables containing sensitive information to broadcast intents.
 */
@@ -127,9 +152,8 @@ class SensitiveBroadcastConfig extends TaintTracking::Configuration {
   * Holds if broadcast doesn't specify receiving package name of the 3rd party app
   */
  override predicate isSanitizer(DataFlow::Node node) {
-    exists(MethodAccess setReceiverMa |
-      setReceiverMa.getMethod().hasName(["setPackage", "setClass", "setClassName", "setComponent"]) and
-      setReceiverMa.getQualifier().(VarAccess).getVariable().getAnAccess() = node.asExpr()
+    exists(DataFlow::Node intent | isCleanIntent(intent.asExpr()) |
+      DataFlow::localFlow(intent, node)
    )
  }