Follow taint across getExtras without qualifier

2026-04-30 11:15:13 +02:00 · 2020-10-27 12:01:30 +00:00
parent 9ae5689af6
commit 60e8910330
1 changed files with 6 additions and 4 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -308,16 +308,18 @@ class ReverseDNSMethod extends Method {
 /** Exported Android `Intent` that may have come from a hostile application. */
 class AndroidIntentInput extends RemoteFlowSource {
  AndroidIntentInput() {
-    this.getEnclosingCallable().getDeclaringType().(AndroidComponent).isExported() and
-    (
+    exists(AndroidComponent exportedType |
+      exportedType.isExported() |
      exists(MethodAccess ma, AndroidGetIntentMethod m |
        ma.getMethod().overrides*(m) and
-        this.asExpr() = ma
+        this.asExpr() = ma and
+        exportedType = ma.getReceiverType()
      )
      or
      exists(Method m, AndroidReceiveIntentMethod rI |
        m.overrides*(rI) and
-        this.asParameter() = m.getParameter(1)
+        this.asParameter() = m.getParameter(1) and
+        exportedType = m.getDeclaringType()
      )
    )
  }