Add remote source of Android intent extra

2026-03-05 23:26:51 +01:00 · 2020-06-25 20:20:18 +00:00
parent d4c5887122
commit 65e76ab18f
3 changed files with 60 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -20,6 +20,7 @@ import semmle.code.java.frameworks.SpringWeb
 import semmle.code.java.frameworks.Guice
 import semmle.code.java.frameworks.struts.StrutsActions
 import semmle.code.java.frameworks.Thrift
+import semmle.code.java.frameworks.android.Android

 /** A data flow source of remote user input. */
 abstract class RemoteFlowSource extends DataFlow::Node {
@@ -270,3 +271,36 @@ class AndroidIntentInput extends DataFlow::Node {
    )
  }
 }
+
+/**
+ * Method access to external inputs of `android.content.Intent` object
+ */
+class IntentGetExtraMethodAccess extends MethodAccess {
+  IntentGetExtraMethodAccess() {
+    exists(AndroidComponent ac |
+      this.getEnclosingCallable().getDeclaringType() = ac and ac.isExported()
+    ) and
+    (
+      this.getMethod().getName().regexpMatch("get\\w+Extra") and
+      this.getMethod().getDeclaringType() instanceof TypeIntent
+      or
+      this.getMethod().getName().regexpMatch("get\\w+") and
+      this.getQualifier().(MethodAccess).getMethod().hasName("getExtras") and
+      this.getQualifier().(MethodAccess).getMethod().getDeclaringType() instanceof TypeIntent
+    )
+  }
+}
+
+/**
+ * Android intent extra source
+ */
+private class AndroidIntentExtraSource extends RemoteFlowSource {
+  AndroidIntentExtraSource() {
+    exists(MethodAccess ma |
+      ma instanceof IntentGetExtraMethodAccess and
+      this.asExpr().(VarAccess).getVariable().getAnAssignedValue() = ma
+    )
+  }
+
+  override string getSourceType() { result = "Android intent extra" }
+}