Java: update intent-start sink kind to intent-redirection

2026-04-20 06:24:03 +02:00 · 2023-05-09 12:10:57 -04:00
parent 5aa3e57ff3
commit b23f384a50
5 changed files with 28 additions and 27 deletions
--- a/java/ql/lib/ext/android.app.model.yml
+++ b/java/ql/lib/ext/android.app.model.yml
@@ -3,14 +3,14 @@ extensions:
      pack: codeql/java-all
      extensible: sinkModel
    data:
-      - ["android.app", "Activity", True, "bindService", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "bindServiceAsUser", "", "", "Argument[0]", "intent-start", "manual"]
+      - ["android.app", "Activity", True, "bindService", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "bindServiceAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
      - ["android.app", "Activity", True, "setResult", "(int,Intent)", "", "Argument[1]", "pending-intents", "manual"]
-      - ["android.app", "Activity", True, "startActivityAsCaller", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int)", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int,Bundle)", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "startActivityForResult", "(String,Intent,int,Bundle)", "", "Argument[1]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "startActivityForResultAsUser", "", "", "Argument[0]", "intent-start", "manual"]
+      - ["android.app", "Activity", True, "startActivityAsCaller", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int)", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int,Bundle)", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "startActivityForResult", "(String,Intent,int,Bundle)", "", "Argument[1]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "startActivityForResultAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
      - ["android.app", "AlarmManager", True, "set", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intents", "manual"]
      - ["android.app", "AlarmManager", True, "setAlarmClock", "", "", "Argument[1]", "pending-intents", "manual"]
      - ["android.app", "AlarmManager", True, "setAndAllowWhileIdle", "", "", "Argument[2]", "pending-intents", "manual"]
--- a/java/ql/lib/ext/android.content.model.yml
+++ b/java/ql/lib/ext/android.content.model.yml
@@ -47,22 +47,22 @@ extensions:
      - ["android.content", "ContentResolver", True, "query", "(Uri,String[],String,String[],String)", "", "Argument[2]", "sql-injection", "manual"]
      - ["android.content", "ContentResolver", True, "query", "(Uri,String[],String,String[],String,CancellationSignal)", "", "Argument[2]", "sql-injection", "manual"]
      - ["android.content", "ContentResolver", True, "update", "(Uri,ContentValues,String,String[])", "", "Argument[2]", "sql-injection", "manual"]
-      - ["android.content", "Context", True, "sendBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendBroadcastWithMultiplePermissions", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendStickyBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendStickyBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendStickyOrderedBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendStickyOrderedBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivities", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivity", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivityAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivityFromChild", "", "", "Argument[1]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivityFromFragment", "", "", "Argument[1]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivityIfNeeded", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startForegroundService", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startService", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startServiceAsUser", "", "", "Argument[0]", "intent-start", "manual"]
+      - ["android.content", "Context", True, "sendBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendBroadcastWithMultiplePermissions", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendStickyBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendStickyBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendStickyOrderedBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendStickyOrderedBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivities", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivity", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivityAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivityFromChild", "", "", "Argument[1]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivityFromFragment", "", "", "Argument[1]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivityIfNeeded", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startForegroundService", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startService", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startServiceAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -276,8 +276,8 @@ module ModelValidation {
        [
          "open-url", "jndi-injection", "ldap-injection", "sql-injection", "jdbc-url",
          "log-injection", "mvel-injection", "xpath-injection", "groovy-injection", "xss",
-          "ognl-injection", "intent-start", "pending-intents", "url-redirection", "create-file",
-          "read-file", "write-file", "set-hostname-verifier", "header-splitting",
+          "ognl-injection", "intent-redirection", "pending-intents", "url-redirection",
+          "create-file", "read-file", "write-file", "set-hostname-verifier", "header-splitting",
          "information-leak", "xslt-injection", "jexl-injection", "bean-validation",
          "template-injection", "fragment-injection", "command-injection"
        ] and
--- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
@@ -30,7 +30,7 @@ class IntentRedirectionAdditionalTaintStep extends Unit {

 /** Default sink for Intent redirection vulnerabilities. */
 private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
-  DefaultIntentRedirectionSink() { sinkNode(this, "intent-start") }
+  DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") }
 }

 /**
--- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
+++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
@@ -54,7 +54,8 @@ private class IntentCreationSource extends ImplicitPendingIntentSource {

 private class SendPendingIntent extends ImplicitPendingIntentSink {
  SendPendingIntent() {
-    sinkNode(this, "intent-start") and
+    // intent redirection sinks are method calls that start Android components
+    sinkNode(this, "intent-redirection") and
    // implicit intents can't be started as services since API 21
    not exists(MethodAccess ma, Method m |
      ma.getMethod() = m and