Add intermediate dataflow

Make sure that source intents are obtained from another intent's extras
2026-04-30 11:15:13 +02:00 · 2021-08-19 16:34:04 +02:00
parent f90220436f
commit aa2cdb7a53
2 changed files with 35 additions and 1 deletions
--- a/java/ql/src/semmle/code/java/security/AndroidIntentRedirectionQuery.qll
+++ b/java/ql/src/semmle/code/java/security/AndroidIntentRedirectionQuery.qll
@@ -11,7 +11,7 @@ import semmle.code.java.security.AndroidIntentRedirection
 class IntentRedirectionConfiguration extends TaintTracking::Configuration {
  IntentRedirectionConfiguration() { this = "IntentRedirectionConfiguration" }

-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof IntentRedirectionSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }

@@ -23,3 +23,35 @@ class IntentRedirectionConfiguration extends TaintTracking::Configuration {
    any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)
  }
 }
+
+/** The method `getParcelableExtra` called on a tainted `Intent`. */
+private class IntentRedirectionSource extends DataFlow::Node {
+  IntentRedirectionSource() {
+    exists(GetParcelableExtra ma | this.asExpr() = ma.getQualifier()) and
+    exists(IntentToGetParcelableExtraConf conf | conf.hasFlowTo(this))
+  }
+}
+
+/**
+ * Data flow from a remote intent to the qualifier of a `getParcelableExtra` call.
+ */
+private class IntentToGetParcelableExtraConf extends DataFlow2::Configuration {
+  IntentToGetParcelableExtraConf() { this = "IntentToGetParcelableExtraConf" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(GetParcelableExtra ma | sink.asExpr() = ma.getQualifier())
+  }
+}
+
+/** A call to the method `Intent.getParcelableExtra`. */
+private class GetParcelableExtra extends MethodAccess {
+  GetParcelableExtra() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.getDeclaringType() instanceof TypeIntent and
+      m.hasName("getParcelableExtra")
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
+++ b/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
@@ -21,6 +21,8 @@ public class AndroidIntentRedirectionTest extends Activity {
            startActivity(intent); // $ hasAndroidIntentRedirection
        }

+        startActivity(getIntent()); // Safe - not an intent obtained from the Extras
+
        // @formatter:off
        startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirection
        startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirection