Refactor query to change returned source

java/ql/src/Security/CWE/CWE-094/ArbitraryAPKInstallation.ql

@@ -8,7 +8,7 @@
 import java
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.TaintTracking2
 private import semmle.code.java.dataflow.ExternalFlow
 
 class PackageArchiveMimeTypeLiteral extends StringLiteral {
@@ -18,57 +18,57 @@ class PackageArchiveMimeTypeLiteral extends StringLiteral {
 class SetTypeMethod extends Method {
   SetTypeMethod() {
     this.hasName(["setType", "setTypeAndNormalize"]) and
-    this.getDeclaringType().getASupertype*() instanceof TypeIntent
+    this.getDeclaringType() instanceof TypeIntent
   }
 }
 
 class SetDataAndTypeMethod extends Method {
   SetDataAndTypeMethod() {
     this.hasName(["setDataAndType", "setDataAndTypeAndNormalize"]) and
-    this.getDeclaringType().getASupertype*() instanceof TypeIntent
+    this.getDeclaringType() instanceof TypeIntent
   }
 }
 
 class SetDataMethod extends Method {
   SetDataMethod() {
     this.hasName(["setData", "setDataAndNormalize", "setDataAndType", "setDataAndTypeAndNormalize"]) and
-    this.getDeclaringType().getASupertype*() instanceof TypeIntent
+    this.getDeclaringType() instanceof TypeIntent
   }
 }
 
 class SetDataSink extends DataFlow::ExprNode {
   SetDataSink() { this.getExpr().(MethodAccess).getMethod() instanceof SetDataMethod }
-
-  DataFlow::ExprNode getUri() { result.asExpr() = this.getExpr().(MethodAccess).getArgument(0) }
 }
 
-class UriParseMethod extends Method {
-  UriParseMethod() {
-    this.hasName(["parse", "fromFile"]) and
-    this.getDeclaringType().hasQualifiedName("android.net", "Uri")
+class UriConstructorMethod extends Method {
+  UriConstructorMethod() {
+    this.hasQualifiedName("android.net", "Uri", ["parse", "fromFile", "fromParts"])
   }
 }
 
 class ExternalSource extends DataFlow::Node {
   ExternalSource() {
     sourceNode(this, "android-external-storage-dir") or
-    this.asExpr().(MethodAccess).getMethod() instanceof UriParseMethod or
+    this.asExpr().(MethodAccess).getMethod() instanceof UriConstructorMethod or
     this.asExpr().(StringLiteral).getValue().matches(["file://%", "http://%", "https://%"])
   }
 }
 
-class ExternalSourceConfiguration extends DataFlow2::Configuration {
+class ExternalSourceConfiguration extends DataFlow::Configuration {
   ExternalSourceConfiguration() { this = "ExternalSourceConfiguration" }
 
   override predicate isSource(DataFlow::Node node) { node instanceof ExternalSource }
 
   override predicate isSink(DataFlow::Node node) {
-    // any(PackageArchiveMimeTypeConfiguration c).hasFlow(_, node)
-    node instanceof SetDataSink
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof SetDataMethod and
+      ma.getArgument(0) = node.asExpr() and
+      any(PackageArchiveMimeTypeConfiguration c).hasFlowToExpr(ma)
+    )
   }
 }
 
-class PackageArchiveMimeTypeConfiguration extends TaintTracking::Configuration {
+private class PackageArchiveMimeTypeConfiguration extends TaintTracking2::Configuration {
   PackageArchiveMimeTypeConfiguration() { this = "PackageArchiveMimeTypeConfiguration" }
 
   override predicate isSource(DataFlow::Node node) {
@@ -96,10 +96,9 @@ class PackageArchiveMimeTypeConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node node, DataFlow::FlowState state) {
     state = "typeSet" and
     node instanceof SetDataSink
-    //    and any(ExternalSourceConfiguration c).hasFlow(_, node.(SetDataSink).getUri())
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, PackageArchiveMimeTypeConfiguration config
+from DataFlow::PathNode source, DataFlow::PathNode sink, ExternalSourceConfiguration config
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Android APK installation"