Use proper class inheritance

2026-04-30 11:15:13 +02:00 · 2020-10-28 22:05:30 +00:00
parent 3cc3fe9d37
commit 2ee9a45e69
3 changed files with 14 additions and 21 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -307,36 +307,26 @@ class ReverseDNSMethod extends Method {

 /** Android `Intent` that may have come from a hostile application. */
 class AndroidIntentInput extends DataFlow::Node {
+  Type receiverType;
+
  AndroidIntentInput() {
    exists(MethodAccess ma, AndroidGetIntentMethod m |
      ma.getMethod().overrides*(m) and
-      this.asExpr() = ma
+      this.asExpr() = ma and
+      receiverType = ma.getEnclosingCallable().getDeclaringType()
    )
    or
    exists(Method m, AndroidReceiveIntentMethod rI |
      m.overrides*(rI) and
-      this.asParameter() = m.getParameter(1)
+      this.asParameter() = m.getParameter(1) and
+      receiverType = m.getDeclaringType()
    )
  }
 }

 /** Exported Android `Intent` that may have come from a hostile application. */
-class ExportedAndroidIntentInput extends RemoteFlowSource {
-  ExportedAndroidIntentInput() {
-    exists(ExportableAndroidComponent exportedType | exportedType.isExported() |
-      exists(MethodAccess ma, AndroidGetIntentMethod m |
-        ma.getMethod().overrides*(m) and
-        this.asExpr() = ma and
-        exportedType = ma.getEnclosingCallable().getDeclaringType()
-      )
-      or
-      exists(Method m, AndroidReceiveIntentMethod rI |
-        m.overrides*(rI) and
-        this.asParameter() = m.getParameter(1) and
-        exportedType = m.getDeclaringType()
-      )
-    )
-  }
+class ExportedAndroidIntentInput extends RemoteFlowSource, AndroidIntentInput {
+  ExportedAndroidIntentInput() { receiverType.(ExportableAndroidComponent).isExported() }

-  override string getSourceType() { result = "Android intent source" }
+  override string getSourceType() { result = "Exported Android intent source" }
 }
--- a/java/ql/src/semmle/code/java/frameworks/android/Android.qll
+++ b/java/ql/src/semmle/code/java/frameworks/android/Android.qll
@@ -31,7 +31,7 @@ class AndroidComponent extends Class {
 }

 /**
- * An Android component that is explicitly or implicitly exported.
+ * An Android component that can be explicitly or implicitly exported.
 */
 class ExportableAndroidComponent extends AndroidComponent {
  /** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */
--- a/java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity4.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity4.java
@@ -9,7 +9,10 @@ import android.webkit.WebView;
 import android.webkit.WebViewClient;

 public class UnsafeActivity4 extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	/** 
+	 * Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+     * Note this case of invoking utility method that takes an Activity a then calls `a.getIntent().getStringExtra(...)` is not yet detected thus is beyond what the query is capable of.
+	 */
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);