diff --git a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll index b494feb5492..2855f5989cf 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll @@ -122,9 +122,11 @@ private predicate isStartActivityOrServiceSink(DataFlow::Node arg) { } /** + * DEPRECATED: Use `SensitiveCommunicationFlow` instead. + * * Taint configuration tracking flow from variables containing sensitive information to broadcast Intents. */ -class SensitiveCommunicationConfig extends TaintTracking::Configuration { +deprecated class SensitiveCommunicationConfig extends TaintTracking::Configuration { SensitiveCommunicationConfig() { this = "Sensitive Communication Configuration" } override predicate isSource(DataFlow::Node source) { @@ -148,3 +150,27 @@ class SensitiveCommunicationConfig extends TaintTracking::Configuration { this.isSink(node) } } + +private module SensitiveCommunicationConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveInfoExpr } + + predicate isSink(DataFlow::Node sink) { + isSensitiveBroadcastSink(sink) + or + isStartActivityOrServiceSink(sink) + } + + /** + * Holds if broadcast doesn't specify receiving package name of the 3rd party app + */ + predicate isBarrier(DataFlow::Node node) { node instanceof ExplicitIntentSanitizer } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { + isSink(node) and exists(c) + } +} + +/** + * Tracks taint flow from variables containing sensitive information to broadcast Intents. + */ +module SensitiveCommunicationFlow = TaintTracking::Make; diff --git a/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql b/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql index c8ebb3e61f4..59a7d827cf6 100644 --- a/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql +++ b/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql @@ -13,9 +13,9 @@ import java import semmle.code.java.security.AndroidSensitiveCommunicationQuery -import DataFlow::PathGraph +import SensitiveCommunicationFlow::PathGraph -from SensitiveCommunicationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasFlowPath(source, sink) +from SensitiveCommunicationFlow::PathNode source, SensitiveCommunicationFlow::PathNode sink +where SensitiveCommunicationFlow::hasFlowPath(source, sink) select sink.getNode(), source, sink, "This call may leak $@.", source.getNode(), "sensitive information" diff --git a/java/ql/test/query-tests/security/CWE-927/SensitiveCommunication.ql b/java/ql/test/query-tests/security/CWE-927/SensitiveCommunication.ql index 40f74b0e911..c57c316310d 100644 --- a/java/ql/test/query-tests/security/CWE-927/SensitiveCommunication.ql +++ b/java/ql/test/query-tests/security/CWE-927/SensitiveCommunication.ql @@ -3,14 +3,10 @@ import semmle.code.java.security.AndroidSensitiveCommunicationQuery import TestUtilities.InlineExpectationsTest import TestUtilities.InlineFlowTest -class EnableLegacy extends EnableLegacyConfiguration { - EnableLegacy() { exists(this) } -} - class HasFlowTest extends InlineFlowTest { - override DataFlow::Configuration getTaintFlowConfig() { - result = any(SensitiveCommunicationConfig c) - } + override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() } - override DataFlow::Configuration getValueFlowConfig() { none() } + override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) { + SensitiveCommunicationFlow::hasFlow(src, sink) + } }