Added more sinks

java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll

@@ -30,7 +30,12 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {
         "android.app;NotificationManager;true;notify;(int,Notification);;Argument[1];pending-intent-sent",
         "android.app;NotificationManager;true;notify;(String,int,Notification);;Argument[2];pending-intent-sent",
         "android.app;NotificationManager;true;notifyAsPackage;(String,String,int,Notification);;Argument[3];pending-intent-sent",
-        "android.app;NotificationManager;true;notifyAsUser;(String,int,Notification,UserHandle);;Argument[2];pending-intent-sent"
+        "android.app;NotificationManager;true;notifyAsUser;(String,int,Notification,UserHandle);;Argument[2];pending-intent-sent",
+        "android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler,String,Bundle);;Argument[2];pending-intent-sent",
+        "android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler,String);;Argument[2];pending-intent-sent",
+        "android.app;PendingIntent;false;send;(Context,int,Intent,OnFinished,Handler);;Argument[2];pending-intent-sent",
+        "android.app;PendingIntent;false;send;(Context,int,Intent);;Argument[2];pending-intent-sent",
+        "android.app;Activity;true;setResult;(int,Intent);;Argument[1];pending-intent-sent"
       ]
   }
 }
@@ -40,6 +45,8 @@ private class DefaultIntentRedirectionSinkModel extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
+        "android.app;Activity;true;bindService;;;Argument[0];intent-start",
+        "android.app;Activity;true;bindServiceAsUser;;;Argument[0];intent-start",
         "android.app;Activity;true;startActivityAsCaller;;;Argument[0];intent-start",
         "android.app;Activity;true;startActivityForResult;(Intent,int);;Argument[0];intent-start",
         "android.app;Activity;true;startActivityForResult;(Intent,int,Bundle);;Argument[0];intent-start",

java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll

@@ -60,11 +60,11 @@ private class ImplicitPendingIntentCreation extends Expr {
 private class SendPendingIntent extends DataFlow::Node {
   SendPendingIntent() {
     sinkNode(this, "intent-start") and
-    // startService can't actually start implicit intents since API 21
+    // implicit intents can't be started as services since API 21
     not exists(MethodAccess ma, Method m |
       ma.getMethod() = m and
       m.getDeclaringType().getASupertype*() instanceof TypeContext and
-      m.getName().matches("start%Service%") and
+      m.getName().matches(["start%Service%", "bindService%"]) and
       this.asExpr() = ma.getArgument(0)
     )
     or

java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java

@@ -148,6 +148,20 @@ public class ImplicitPendingIntentsTest {
         }
     }
 
+    public static void testPendingIntentWrappedInAnotherPendingIntent(Context ctx,
+            PendingIntent other) throws PendingIntent.CanceledException {
+        {
+            Intent baseIntent = new Intent();
+            PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, 0);
+            Intent fwdIntent = new Intent();
+            fwdIntent.putExtra("fwdIntent", pi);
+            other.send(ctx, 0, fwdIntent); // $hasTaintFlow
+            other.send(ctx, 0, fwdIntent, null, null); // $hasTaintFlow
+            other.send(ctx, 0, fwdIntent, null, null, null); // $hasTaintFlow
+            other.send(ctx, 0, fwdIntent, null, null, null, null); // $hasTaintFlow
+        }
+    }
+
     public static void testPendingIntentInANotification(Context ctx)
             throws PendingIntent.CanceledException {
 
@@ -194,6 +208,17 @@ public class ImplicitPendingIntentsTest {
 
     }
 
+    static class TestActivity extends Activity {
+        @Override
+        public void onCreate(Bundle bundle) {
+            Intent baseIntent = new Intent();
+            PendingIntent pi = PendingIntent.getActivity(null, 0, baseIntent, 0);
+            Intent fwdIntent = new Intent();
+            fwdIntent.putExtra("fwdIntent", pi);
+            setResult(0, fwdIntent); // $hasTaintFlow
+        }
+    }
+
     static class TestSliceProvider extends SliceProvider {
 
         private PendingIntent mPendingIntent;