Adapt to use the new shared Intent models

2026-04-28 18:25:24 +02:00 · 2021-10-06 16:15:18 +01:00
parent 91d8b3da23
commit 4be2347a30
4 changed files with 55 additions and 48 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll
@@ -28,45 +28,6 @@ class GetContentIntent extends ClassInstanceExpr {
  }
 }

-/** Android intent data model in the new CSV format. */
-private class AndroidIntentDataModel extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;createChooser;;;Argument[0];ReturnValue;taint",
-        "android.content;Intent;true;getData;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;getDataString;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;getExtras;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;getIntent;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;get" +
-          [
-            "ParcelableArray", "ParcelableArrayList", "Parcelable", "Serializable", "StringArray",
-            "StringArrayList", "String"
-          ] + "Extra;;;Argument[-1..1];ReturnValue;taint",
-        "android.content;Intent;true;put" +
-          [
-            "", "CharSequenceArrayList", "IntegerArrayList", "ParcelableArrayList",
-            "StringArrayList"
-          ] + "Extra;;;Argument[1];Argument[-1];taint",
-        "android.content;Intent;true;putExtras;;;Argument[1];Argument[-1];taint",
-        "android.content;Intent;true;setData;;;Argument[0];ReturnValue;taint",
-        "android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;taint",
-        "android.content;Intent;true;setType;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getEncodedPath;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getEncodedQuery;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getLastPathSegment;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getPath;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getQuery;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getQueryParameter;;;Argument[-1];ReturnValue;taint",
-        "android.net;Uri;true;getQueryParameters;;;Argument[-1];ReturnValue;taint"
-      ]
-  }
-}
-
 /** Taint configuration for getting content intent. */
 class GetContentIntentConfig extends TaintTracking2::Configuration {
  GetContentIntentConfig() { this = "GetContentIntentConfig" }
@@ -80,6 +41,19 @@ class GetContentIntentConfig extends TaintTracking2::Configuration {
      ma.getMethod() instanceof StartActivityForResultMethod and sink.asExpr() = ma.getArgument(0)
    )
  }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content content) {
+    super.allowImplicitRead(node, content)
+    or
+    // Allow the wrapped intent created by Intent.getChooser to be consumed
+    // by at the sink:
+    isSink(node) and
+    (
+      content.(DataFlow::SyntheticFieldContent).getField() = "android.content.Intent.extras"
+      or
+      content instanceof DataFlow::MapValueContent
+    )
+  }
 }

 /** Android `Intent` input to request file loading. */
--- a/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
@@ -14,6 +14,8 @@ import semmle.code.java.controlflow.Guards
 import AndroidFileIntentSink
 import AndroidFileIntentSource
 import DataFlow::PathGraph
+// For readStep, to implement `isAdditionalTaintStep`
+private import semmle.code.java.dataflow.internal.DataFlowPrivate

 private class StartsWithSanitizer extends DataFlow::BarrierGuard {
  StartsWithSanitizer() { this.(MethodAccess).getMethod().hasName("startsWith") }
@@ -64,6 +66,7 @@ class AndroidFileLeakConfig extends TaintTracking::Configuration {
    )
    or
    exists(MethodAccess csma, ServiceOnStartCommandMethod ssm, ClassInstanceExpr ce |
+      // An intent passed to startService will later be passed to the onStartCommand event of the corresponding service
      csma.getMethod() instanceof ContextStartServiceMethod and
      ce.getConstructedType() instanceof TypeIntent and // Intent intent = new Intent(context, FileUploader.class);
      ce.getArgument(1).(TypeLiteral).getReferencedType() = ssm.getDeclaringType() and
@@ -71,6 +74,11 @@ class AndroidFileLeakConfig extends TaintTracking::Configuration {
      prev.asExpr() = csma.getArgument(0) and
      succ.asParameter() = ssm.getParameter(0) // public int onStartCommand(Intent intent, int flags, int startId) {...} in FileUploader
    )
+    or
+    // When a whole Intent is tainted (e.g., due to this Configuration's source), treat its fields as tainted
+    readStep(prev,
+      any(DataFlow::SyntheticFieldContent c | c.getField().matches("android.content.Intent.%")),
+      succ)
  }

  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {