Use CSV models

java/ql/src/semmle/code/java/security/AndroidIntentRedirection.qll

@@ -2,6 +2,7 @@
 
 import java
 private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.frameworks.android.Intent
 
 /**
@@ -28,19 +29,5 @@ class IntentRedirectionAdditionalTaintStep extends Unit {
 
 /** Default sink for Intent redirection vulnerabilities. */
 private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
-  DefaultIntentRedirectionSink() {
-    exists(MethodAccess ma, Method m |
-      ma.getMethod() = m and
-      this.asExpr() = ma.getAnArgument() and
-      (
-        this.asExpr().getType() instanceof TypeIntent
-        or
-        this.asExpr().getType().(Array).getComponentType() instanceof TypeIntent
-      )
-    |
-      m instanceof StartActivityMethod or
-      m instanceof StartServiceMethod or
-      m instanceof SendBroadcastMethod
-    )
-  }
+  DefaultIntentRedirectionSink() { sinkNode(this, "intent-start") }
 }

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java

@@ -18,7 +18,6 @@ public class AndroidIntentRedirectionTest extends Activity {
             startActivityAsUser(intent, null); // $ hasAndroidIntentRedirection
             startActivityAsUser(intent, null, null); // $ hasAndroidIntentRedirection
             startActivityAsCaller(intent, null, false, 0); // $ hasAndroidIntentRedirection
-            startActivityAsUserFromFragment(null, intent, 0, null, null); // $ hasAndroidIntentRedirection
             startActivityForResult(intent, 0); // $ hasAndroidIntentRedirection
             startActivityForResult(intent, 0, null); // $ hasAndroidIntentRedirection
             startActivityForResult(null, intent, 0, null); // $ hasAndroidIntentRedirection