Add support for implicit field read flows

2026-04-27 01:35:13 +02:00 · 2021-10-05 16:42:25 +02:00
parent e58a8587db
commit 7f85dae63b
2 changed files with 29 additions and 5 deletions
--- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
@@ -23,10 +23,19 @@ class ImplicitPendingIntentStartConf extends TaintTracking::Configuration {
    sanitizer instanceof ExplicitIntentSanitizer
  }

+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(Field f |
+      f.getType() instanceof PendingIntent and
+      node1.(DataFlow::PostUpdateNode).getPreUpdateNode() =
+        DataFlow::getFieldQualifier(f.getAnAccess().(FieldWrite)) and
+      node2.asExpr().(FieldRead).getField() = f
+    )
+  }
+
  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
-    super.allowImplicitRead(node, c)
-    or
-    this.isSink(node)
+    super.allowImplicitRead(node, c) or
+    this.isSink(node) or
+    this.isAdditionalTaintStep(node, _)
  }
 }

--- a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java
+++ b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java
@@ -90,6 +90,8 @@ public class ImplicitPendingIntentsTest {

    static class TestSliceProvider extends SliceProvider {

+        private PendingIntent mPendingIntent;
+
        @Override
        public Slice onBindSlice(Uri sliceUri) {
            if (sliceUri.getAuthority().equals("1")) {
@@ -110,7 +112,7 @@ public class ImplicitPendingIntentsTest {
                        .setPrimaryAction(activityAction));
                return listBuilder.build(); // Safe

-            } else {
+            } else if (sliceUri.getAuthority().equals("3")) {
                Intent baseIntent = new Intent();
                PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent,
                        PendingIntent.FLAG_IMMUTABLE); // Sanitizer
@@ -119,6 +121,14 @@ public class ImplicitPendingIntentsTest {
                listBuilder.addRow(new ListBuilder.RowBuilder().setTitle("Title")
                        .setPrimaryAction(activityAction));
                return listBuilder.build(); // Safe
+
+            } else {
+                // Testing implicit field read flows:
+                // mPendingIntent is set in onCreateSliceProvider
+                SliceAction action = SliceAction.createDeeplink(mPendingIntent, null, 0, "");
+                ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, 0);
+                listBuilder.addRow(new ListBuilder.RowBuilder(sliceUri).setPrimaryAction(action));
+                return listBuilder.build(); // $hasTaintFlow
            }
        }

@@ -136,12 +146,17 @@ public class ImplicitPendingIntentsTest {
            }
        }

-        // Implementations needed for compilation
        @Override
        public boolean onCreateSliceProvider() {
+            // Testing implicit field read flows:
+            // mPendingIntent is used in onBindSlice
+            Intent baseIntent = new Intent();
+            mPendingIntent = PendingIntent.getActivity(getContext(), 0, baseIntent, 0);
            return true;
        }

+        // Implementations needed for compilation
+
        @Override
        public AssetFileDescriptor openTypedAssetFile(Uri uri, String mimeTypeFilter, Bundle opts,
                CancellationSignal signal) throws RemoteException, FileNotFoundException {