Add intent creation from a URI as a taint step

java/ql/lib/semmle/code/java/frameworks/android/Intent.qll

@@ -249,6 +249,9 @@ private class IntentComponentTaintSteps extends SummaryModelCsv {
         "android.content;Intent;true;Intent;(Intent);;Argument[0];Argument[-1];taint",
         "android.content;Intent;true;Intent;(Context,Class);;Argument[1];Argument[-1];taint",
         "android.content;Intent;true;Intent;(String,Uri,Context,Class);;Argument[3];Argument[-1];taint",
+        "android.content;Intent;true;getIntent;(String);;Argument[0];ReturnValue;taint",
+        "android.content;Intent;true;getIntentOld;(String);;Argument[0];ReturnValue;taint",
+        "android.content;Intent;true;parseUri;(String,int);;Argument[0];ReturnValue;taint",
         "android.content;Intent;true;setPackage;;;Argument[0];Argument[-1];taint",
         "android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;taint",
         "android.content;Intent;true;setClass;;;Argument[1];Argument[-1];taint",

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java

@@ -179,6 +179,18 @@ public class AndroidIntentRedirectionTest extends Activity {
                 // Conditionally tainted sinks aren't supported currently
                 startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection
             }
+            {
+                Intent fwdIntent = Intent.parseUri(getIntent().getStringExtra("uri"), 0);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = Intent.getIntent(getIntent().getStringExtra("uri"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = Intent.getIntentOld(getIntent().getStringExtra("uri"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
         } catch (Exception e) {
         }
     }