Added tests and stubs

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectTest.java

@@ -0,0 +1,55 @@
+package com.example.app;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+
+public class AndroidIntentRedirectTest extends Activity {
+    AndroidIntentRedirectTest(Context base) {
+        super(base);
+    }
+
+    public void onCreate(Bundle savedInstanceState) {
+        {
+            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
+            startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirect
+            startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirect
+            startActivity(intent); // $ hasAndroidIntentRedirect
+            startActivity(intent, null); // $ hasAndroidIntentRedirect
+            startActivityAsUser(intent, null); // $ hasAndroidIntentRedirect
+            startActivityAsUser(intent, null, null); // $ hasAndroidIntentRedirect
+            startActivityAsCaller(intent, null, false, 0); // $ hasAndroidIntentRedirect
+            startActivityAsUserFromFragment(null, intent, 0, null, null); // $ hasAndroidIntentRedirect
+            startActivityForResult(intent, 0); // $ hasAndroidIntentRedirect
+            startActivityForResult(intent, 0, null); // $ hasAndroidIntentRedirect
+            startActivityForResult(null, intent, 0, null); // $ hasAndroidIntentRedirect
+            startActivityForResultAsUser(intent, null, 0, null, null); // $ hasAndroidIntentRedirect
+            startActivityForResultAsUser(intent, 0, null, null); // $ hasAndroidIntentRedirect
+            startActivityForResultAsUser(intent, 0, null); // $ hasAndroidIntentRedirect
+        }
+        {
+            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
+            startService(intent); // $ hasAndroidIntentRedirect
+            startServiceAsUser(intent, null); // $ hasAndroidIntentRedirect
+        }
+        {
+            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
+            sendBroadcast(intent); // $ hasAndroidIntentRedirect
+            sendBroadcast(intent, null); // $ hasAndroidIntentRedirect
+            sendBroadcast(intent, null, null); // $ hasAndroidIntentRedirect
+            sendBroadcast(intent, null, 0); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUser(intent, null, null, null); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUser(intent, null, null, 0); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUserMultiplePermissions(intent, null, null); // $ hasAndroidIntentRedirect
+            sendStickyBroadcast(intent); // $ hasAndroidIntentRedirect
+            sendStickyBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirect
+            sendStickyBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirect
+            sendStickyOrderedBroadcast(intent, null, null, 0, null, null); // $ hasAndroidIntentRedirect
+            sendStickyOrderedBroadcastAsUser(intent, null, null, null, 0, null, null); // $ hasAndroidIntentRedirect
+        }
+
+    }
+}

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectTest.ql

@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.AndroidIntentRedirectQuery
+import TestUtilities.InlineExpectationsTest
+
+class HasAndroidIntentRedirectTest extends InlineExpectationsTest {
+  HasAndroidIntentRedirectTest() { this = "HasAndroidIntentRedirectTest" }
+
+  override string getARelevantTag() { result = "hasAndroidIntentRedirect" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasAndroidIntentRedirect" and
+    exists(DataFlow::Node src, DataFlow::Node sink, IntentRedirectConfiguration conf |
+      conf.hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-940/AndroidManifest.xml

@@ -0,0 +1,24 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <application
+        android:icon="@drawable/ic_launcher"
+        android:label="@string/app_name"
+        android:theme="@style/AppTheme" >
+        <activity
+            android:name=".AndroidIntentRedirectTest"
+            android:icon="@drawable/ic_launcher"
+			android:label="@string/app_name">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <activity android:name=".SafeActivity" />
+    </application>
+
+</manifest>

java/ql/test/query-tests/security/CWE-940/options

@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0

java/ql/test/stubs/google-android-9.0.0/android/annotation/NonNull.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) 2013 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.annotation;
+
+public @interface NonNull {
+}

java/ql/test/stubs/google-android-9.0.0/android/annotation/RequiresPermission.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2015 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package android.annotation;
+
+import java.lang.annotation.Target;
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+
+public @interface RequiresPermission {
+    String value() default "";
+
+    String[] allOf() default {};
+
+    String[] anyOf() default {};
+
+    boolean conditional() default false;
+
+    @Target({FIELD, METHOD, PARAMETER})
+
+    @interface Read {
+        RequiresPermission value() default @RequiresPermission;
+
+    }
+    @Target({FIELD, METHOD, PARAMETER})
+
+    @interface Write {
+        RequiresPermission value() default @RequiresPermission;
+
+    }
+}

java/ql/test/stubs/google-android-9.0.0/android/app/Fragment.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package android.app;
+
+import android.annotation.Nullable;
+import android.content.Context;
+import android.os.Bundle;
+import android.os.Parcel;
+import android.os.Parcelable;
+
+
+public class Fragment {
+
+  public static class SavedState implements Parcelable {
+
+    @Override
+    public void writeToParcel(Parcel dest, int flags) {}
+
+  }
+
+  static public class InstantiationException {
+    public InstantiationException(String msg, Exception cause) {}
+
+  }
+
+  public Fragment() {}
+
+  public static Fragment instantiate(Context context, String fname) {
+    return null;
+  }
+
+  public static Fragment instantiate(Context context, String fname, @Nullable Bundle args) {
+    return null;
+  }
+
+  @Override
+  final public boolean equals(Object o) {
+    return false;
+  }
+
+  @Override
+  final public int hashCode() {
+    return 0;
+  }
+
+  @Override
+  public String toString() {
+    return null;
+  }
+
+}

java/ql/test/stubs/google-android-9.0.0/android/content/ComponentName.java

@@ -2,7 +2,6 @@
 
 package android.content;
 
-import android.content.Context;
 import android.os.Parcel;
 import android.os.Parcelable;
 

java/ql/test/stubs/google-android-9.0.0/android/content/ContextWrapper.java

@@ -15,22 +15,15 @@
  */
 package android.content;
 
-import android.content.BroadcastReceiver;
-import android.content.ComponentCallbacks;
-import android.content.ComponentName;
-import android.content.ContentResolver;
-import android.content.Intent;
-import android.content.IntentFilter;
-import android.content.IntentSender;
-import android.content.ServiceConnection;
-import android.content.SharedPreferences;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.InputStream;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageManager;
 import android.content.res.AssetManager;
-import android.content.res.ColorStateList;
 import android.content.res.Configuration;
 import android.content.res.Resources;
-import android.content.res.TypedArray;
 import android.database.DatabaseErrorHandler;
 import android.database.sqlite.SQLiteDatabase;
 import android.graphics.Bitmap;
@@ -40,13 +33,7 @@ import android.os.Bundle;
 import android.os.Handler;
 import android.os.Looper;
 import android.os.UserHandle;
-import android.util.AttributeSet;
 import android.view.Display;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.util.concurrent.Executor;
 
 /**
  * Proxying implementation of Context that simply delegates all of its calls to

java/ql/test/stubs/google-android-9.0.0/android/content/Intent.java

@@ -2,11 +2,10 @@
 
 package android.content;
 
-import android.content.ClipData;
-import android.content.ComponentName;
-import android.content.ContentResolver;
-import android.content.Context;
-import android.content.IntentSender;
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Set;
+import org.xmlpull.v1.XmlPullParser;
 import android.content.pm.ActivityInfo;
 import android.content.pm.PackageManager;
 import android.content.res.Resources;
@@ -16,10 +15,6 @@ import android.os.Bundle;
 import android.os.Parcel;
 import android.os.Parcelable;
 import android.util.AttributeSet;
-import java.io.Serializable;
-import java.util.ArrayList;
-import java.util.Set;
-import org.xmlpull.v1.XmlPullParser;
 
 public class Intent implements Cloneable, Parcelable
 {

java/ql/test/stubs/google-android-9.0.0/android/content/IntentFilter.java

@@ -2,18 +2,16 @@
 
 package android.content;
 
-import android.content.ContentResolver;
-import android.content.Intent;
+import java.util.Iterator;
+import java.util.Set;
+import org.xmlpull.v1.XmlPullParser;
+import org.xmlpull.v1.XmlSerializer;
 import android.net.Uri;
 import android.os.Parcel;
 import android.os.Parcelable;
 import android.os.PatternMatcher;
 import android.util.AndroidException;
 import android.util.Printer;
-import java.util.Iterator;
-import java.util.Set;
-import org.xmlpull.v1.XmlPullParser;
-import org.xmlpull.v1.XmlSerializer;
 
 public class IntentFilter implements Parcelable
 {

java/ql/test/stubs/google-android-9.0.0/android/content/ServiceConnection.java

@@ -2,7 +2,6 @@
 
 package android.content;
 
-import android.content.ComponentName;
 import android.os.IBinder;
 
 public interface ServiceConnection

java/ql/test/stubs/google-android-9.0.0/android/os/Handler.java

@@ -2,8 +2,6 @@
 
 package android.os;
 
-import android.os.Looper;
-import android.os.Message;
 import android.util.Printer;
 
 public class Handler

java/ql/test/stubs/google-android-9.0.0/android/os/UserHandle.java

@@ -2,9 +2,6 @@
 
 package android.os;
 
-import android.os.Parcel;
-import android.os.Parcelable;
-
 public class UserHandle implements Parcelable
 {
     protected UserHandle() {}