Merge pull request #8873 from atorralba/atorralba/android-startactivity-flowstep

Java: Add flow step from startActivity to getIntent
2026-04-27 17:55:19 +02:00 · 2022-05-11 11:08:08 +02:00
parent 43b425d0e4 cf55f180c4
commit 25336df302
4 changed files with 70 additions and 0 deletions
--- a/java/ql/lib/change-notes/2022-04-26-startactivity-flow-step.md
+++ b/java/ql/lib/change-notes/2022-04-26-startactivity-flow-step.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
--- a/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
@@ -176,6 +176,25 @@ class GrantWriteUriPermissionFlag extends GrantUriPermissionFlag {
  GrantWriteUriPermissionFlag() { this.hasName("FLAG_GRANT_WRITE_URI_PERMISSION") }
 }

+/**
+ * A value-preserving step from the Intent argument of a `startActivity` call to
+ * a `getIntent` call in the Activity the Intent pointed to in its constructor.
+ */
+private class StartActivityIntentStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(MethodAccess startActivity, MethodAccess getIntent, ClassInstanceExpr newIntent |
+      startActivity.getMethod().overrides*(any(ContextStartActivityMethod m)) and
+      getIntent.getMethod().overrides*(any(AndroidGetIntentMethod m)) and
+      newIntent.getConstructedType() instanceof TypeIntent and
+      DataFlow::localExprFlow(newIntent, startActivity.getArgument(0)) and
+      newIntent.getArgument(1).getType().(ParameterizedType).getATypeArgument() =
+        getIntent.getReceiverType() and
+      n1.asExpr() = startActivity.getArgument(0) and
+      n2.asExpr() = getIntent
+    )
+  }
+}
+
 private class IntentBundleFlowSteps extends SummaryModelCsv {
  override predicate row(string row) {
    row =
--- a/java/ql/test/library-tests/frameworks/android/intent/AndroidManifest.xml
+++ b/java/ql/test/library-tests/frameworks/android/intent/AndroidManifest.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:versionCode="1"
+    android:versionName="1.0"
+    package="com.example.app">
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:label="@string/app_name"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme">
+
+        <activity
+            android:name=".TestStartActivityToGetIntent.SomeActivity"
+            android:exported="false">
+        </activity>
+
+    </application>
+</manifest>
--- a/java/ql/test/library-tests/frameworks/android/intent/TestStartActivityToGetIntent.java
+++ b/java/ql/test/library-tests/frameworks/android/intent/TestStartActivityToGetIntent.java
@@ -0,0 +1,25 @@
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+
+public class TestStartActivityToGetIntent {
+
+    static Object source() {
+        return null;
+    }
+
+    static void sink(Object sink) {}
+
+    public void test(Context ctx) {
+        Intent intent = new Intent(null, SomeActivity.class);
+        intent.putExtra("data", (String) source());
+        ctx.startActivity(intent);
+    }
+
+    static class SomeActivity extends Activity {
+
+        public void test() {
+            sink(getIntent().getStringExtra("data")); // $ hasValueFlow
+        }
+    }
+}