diff --git a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll index 894417d2493..8ea368f6738 100644 --- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll @@ -9,7 +9,7 @@ private import semmle.code.java.security.ArbitraryApkInstallation * A dataflow configuration for flow from an external source of an APK to the * `setData[AndType][AndNormalize]` method of an intent. */ -private module ApkConf implements DataFlow::ConfigSig { +private module ApkInstallationConfiguration implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { node instanceof ExternalApkSource } predicate isSink(DataFlow::Node node) { @@ -17,15 +17,15 @@ private module ApkConf implements DataFlow::ConfigSig { ma.getMethod() instanceof SetDataMethod and ma.getArgument(0) = node.asExpr() and ( - PackageArchiveMimeTypeConfiguration::hasFlowToExpr(ma.getQualifier()) + PackageArchiveMimeTypeFlow::hasFlowToExpr(ma.getQualifier()) or - InstallPackageActionConfiguration::hasFlowToExpr(ma.getQualifier()) + InstallPackageActionFlow::hasFlowToExpr(ma.getQualifier()) ) ) } } -module ApkConfiguration = DataFlow::Make; +module ApkInstallationFlow = DataFlow::Make; /** * A dataflow configuration tracking the flow from the `android.content.Intent.ACTION_INSTALL_PACKAGE` @@ -33,7 +33,7 @@ module ApkConfiguration = DataFlow::Make; * * This is used to track if an intent is used to install an APK. */ -private module InstallPackageActionConfig implements DataFlow::StateConfigSig { +private module InstallPackageActionConfiguration implements DataFlow::StateConfigSig { class FlowState = string; predicate isSource(DataFlow::Node source, FlowState state) { @@ -69,15 +69,15 @@ private module InstallPackageActionConfig implements DataFlow::StateConfigSig { predicate isBarrier(DataFlow::Node node, FlowState state) { none() } } -private module InstallPackageActionConfiguration = - TaintTracking::MakeWithState; +private module InstallPackageActionFlow = + TaintTracking::MakeWithState; /** * A dataflow configuration tracking the flow of the Android APK MIME type to * the `setType` or `setTypeAndNormalize` method of an intent, followed by a call * to `setData[AndType][AndNormalize]`. */ -private module PackageArchiveMimeTypeConfig implements DataFlow::StateConfigSig { +private module PackageArchiveMimeTypeConfiguration implements DataFlow::StateConfigSig { class FlowState = string; predicate isSource(DataFlow::Node node, FlowState state) { @@ -111,5 +111,5 @@ private module PackageArchiveMimeTypeConfig implements DataFlow::StateConfigSig predicate isBarrier(DataFlow::Node node, FlowState state) { none() } } -private module PackageArchiveMimeTypeConfiguration = - TaintTracking::MakeWithState; +private module PackageArchiveMimeTypeFlow = + TaintTracking::MakeWithState; diff --git a/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql b/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql index ebbe6defd84..aab75a8d368 100644 --- a/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql +++ b/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql @@ -12,8 +12,8 @@ import java import semmle.code.java.security.ArbitraryApkInstallationQuery -import ApkConfiguration::PathGraph +import ApkInstallationFlow::PathGraph -from ApkConfiguration::PathNode source, ApkConfiguration::PathNode sink -where ApkConfiguration::hasFlowPath(source, sink) +from ApkInstallationFlow::PathNode source, ApkInstallationFlow::PathNode sink +where ApkInstallationFlow::hasFlowPath(source, sink) select sink.getNode(), source, sink, "Arbitrary Android APK installation." diff --git a/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.ql b/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.ql index 8dfe7803c19..1e40c0a5d25 100644 --- a/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.ql +++ b/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest.ql @@ -10,7 +10,7 @@ class HasApkInstallationTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasApkInstallation" and - exists(DataFlow::Node sink | ApkConfiguration::hasFlowTo(sink) | + exists(DataFlow::Node sink | ApkInstallationFlow::hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = ""