hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11367 from atorralba/atorralba/java/add-bitwise-implicit-intents

Browse Source 
Java: Consider taint through bitwise operations on PendingIntent flags
This commit is contained in:
Tony Torralba
2022-11-22 17:08:52 +01:00
committed by GitHub
parent 5866af413f 1667fbad88
commit 92ee0aa7ae
3 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
View File

@@ -85,9 +85,11 @@ private class MutablePendingIntentFlowStep extends ImplicitPendingIntentAddition
// unless it is at least sometimes explicitly marked immutable and never marked mutable.
// Note: for API level < 31, PendingIntents were mutable by default, whereas since then
// they are immutable by default.
not TaintTracking::localExprTaint(any(ImmutablePendingIntentFlag flag).getAnAccess(), flagArg)
not bitwiseLocalTaintStep*(DataFlow::exprNode(any(ImmutablePendingIntentFlag flag)
.getAnAccess()), DataFlow::exprNode(flagArg))
or
TaintTracking::localExprTaint(any(MutablePendingIntentFlag flag).getAnAccess(), flagArg)
bitwiseLocalTaintStep*(DataFlow::exprNode(any(MutablePendingIntentFlag flag).getAnAccess()),
DataFlow::exprNode(flagArg))
)
}
}
@@ -124,3 +126,12 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {
]
}
}
/**
* Holds if taint can flow from `source` to `sink` in one local step,
* including bitwise operations.
*/
private predicate bitwiseLocalTaintStep(DataFlow::Node source, DataFlow::Node sink) {
TaintTracking::localTaintStep(source, sink) or
source.asExpr() = sink.asExpr().(BitwiseExpr).(BinaryExpr).getAnOperand()
}

4
java/ql/src/change-notes/2022-11-22-bitwise-implicit-intent-flags.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed an issue in the query `java/android/implicit-pendingintents` by which an implicit Pending Intent marked as immutable was not correctly recognized as such.

2
java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java
View File

@@ -156,7 +156,7 @@ public class ImplicitPendingIntentsTest {
PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, flag); // Sanitizer
Intent fwdIntent = new Intent();
fwdIntent.putExtra("fwdIntent", pi);
ctx.startActivity(fwdIntent); // $ SPURIOUS: $ hasImplicitPendingIntent
ctx.startActivity(fwdIntent); // Safe
}
}