hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-17 21:14:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Diff-informed ImproperIntentVerification.ql

Browse Source
This commit is contained in:
Jonas Jensen
2024-10-07 15:58:43 +02:00
parent e799bff744
commit 5bebae9abf
1 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
View File

@@ -25,6 +25,25 @@ private module VerifiedIntentConfig implements DataFlow::ConfigSig {
sink.asExpr() = ma.getQualifier()
)
}
predicate observeDiffInformedIncrementalMode() { any() }
Location getASelectedSourceLocation(DataFlow::Node src) {
exists(AndroidReceiverXmlElement rec, OnReceiveMethod orm, SystemActionName sa |
src.asParameter() = orm.getIntentParameter() and
anySystemReceiver(rec, orm, sa)
|
result = rec.getLocation()
or
result = orm.getLocation()
or
result = sa.getLocation()
)
}
// All sinks are set to have no locations because sinks aren't selected in
// the query. This effectively means that we're filtering on sources only.
Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
}
private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;
@@ -67,9 +86,8 @@ class SystemActionName extends AndroidActionXmlElement {
string getSystemActionName() { result = name }
}
/** Holds if the XML element `rec` declares a receiver `orm` to receive the system action named `sa` that doesn't verify intents it receives. */
predicate unverifiedSystemReceiver(
AndroidReceiverXmlElement rec, UnverifiedOnReceiveMethod orm, SystemActionName sa
private predicate anySystemReceiver(
AndroidReceiverXmlElement rec, OnReceiveMethod orm, SystemActionName sa
) {
exists(Class ormty |
ormty = orm.getDeclaringType() and
@@ -77,3 +95,11 @@ predicate unverifiedSystemReceiver(
rec.getAnIntentFilterElement().getAnActionElement() = sa
)
}
/** Holds if the XML element `rec` declares a receiver `orm` to receive the system action named `sa` that doesn't verify intents it receives. */
predicate unverifiedSystemReceiver(
AndroidReceiverXmlElement rec, UnverifiedOnReceiveMethod orm, SystemActionName sa
) {
// The type of `orm` is different in these two predicates
anySystemReceiver(rec, orm, sa)
}