Add full path reconstruction from RemoteFlowSource to sink

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java

@@ -11,19 +11,6 @@ public class AndroidIntentRedirectionTest extends Activity {
     public void onCreate(Bundle savedInstanceState) {
         Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
 
-        if (intent.getComponent().getPackageName().equals("something")) {
-            startActivity(intent); // Safe - sanitized
-        } else {
-            startActivity(intent); // $ hasAndroidIntentRedirection
-        }
-        if (intent.getComponent().getClassName().equals("something")) {
-            startActivity(intent); // Safe - sanitized
-        } else {
-            startActivity(intent); // $ hasAndroidIntentRedirection
-        }
-
-        startActivity(getIntent()); // Safe - not an intent obtained from the Extras
-
         // @formatter:off
         startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirection
         startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirection
@@ -56,6 +43,17 @@ public class AndroidIntentRedirectionTest extends Activity {
         sendStickyOrderedBroadcastAsUser(intent, null, null, null, 0, null, null); // $ hasAndroidIntentRedirection
         // @formatter:on
 
+        if (intent.getComponent().getPackageName().equals("something")) {
+            startActivity(intent); // Safe - sanitized
+        } else {
+            startActivity(intent); // $ hasAndroidIntentRedirection
+        }
+        if (intent.getComponent().getClassName().equals("something")) {
+            startActivity(intent); // Safe - sanitized
+        } else {
+            startActivity(intent); // $ hasAndroidIntentRedirection
+        }
+
         try {
             {
                 Intent fwdIntent = new Intent();
@@ -134,6 +132,25 @@ public class AndroidIntentRedirectionTest extends Activity {
                 fwdIntent.setComponent(component);
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
+            {
+                Intent originalIntent = getIntent();
+                Intent fwdIntent = (Intent) originalIntent.getParcelableExtra("forward_intent");
+                startActivity(originalIntent); // Safe - not an Intent obtained from the Extras
+            }
+            {
+                Intent originalIntent = getIntent();
+                ComponentName cp = new ComponentName(originalIntent.getStringExtra("packageName"),
+                        originalIntent.getStringExtra("className"));
+                Intent anotherIntent = new Intent();
+                anotherIntent.setComponent(cp);
+                startActivity(originalIntent); // Safe - not a tainted Intent
+            }
+            {
+                // Delayed cast
+                Object obj = getIntent().getParcelableExtra("forward_intent");
+                Intent fwdIntent = (Intent) obj;
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
         } catch (Exception e) {
         }
     }

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.ql

@@ -9,10 +9,10 @@ class HasAndroidIntentRedirectionTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "hasAndroidIntentRedirection" and
-    exists(DataFlow::Node src, DataFlow::Node sink, IntentRedirectionConfiguration conf |
-      conf.hasFlow(src, sink)
+    exists(DataFlow::PathNode src, DataFlow::PathNode sink |
+      hasIntentRedirectionFlowPath(src, sink)
     |
-      sink.getLocation() = location and
+      sink.getNode().getLocation() = location and
       element = sink.toString() and
       value = ""
     )