hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Sensitive Result Receiver query

Browse Source
This commit is contained in:
Joe Farebrother
2022-12-08 11:02:37 +00:00
parent 18a815ca8b
commit b96edb9c64
2 changed files with 76 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
java/ql/lib/semmle/code/java/security/SensitiveResultReceiverQuery.qll Normal file
View File

@@ -0,0 +1,55 @@
/** Definitions for the sensitive result receiver query. */
import java
import semmle.code.java.dataflow.TaintTracking2
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.SensitiveActions
private class ResultReceiverSendCall extends MethodAccess {
ResultReceiverSendCall() {
this.getMethod()
.getASourceOverriddenMethod*()
.hasQualifiedName("android.os", "ResultReceiver", "send")
}
Expr getReceiver() { result = this.getQualifier() }
Expr getSentData() { result = this.getArgument(1) }
}
private class UntrustedResultReceiverConf extends TaintTracking2::Configuration {
UntrustedResultReceiverConf() { this = "UntrustedResultReceiverConf" }
override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node node) {
node.asExpr() = any(ResultReceiverSendCall c).getReceiver()
}
}
private predicate untrustedResultReceiverSend(DataFlow::Node src, ResultReceiverSendCall call) {
any(UntrustedResultReceiverConf c).hasFlow(src, DataFlow::exprNode(call.getReceiver()))
}
private class SensitiveResultReceiverConf extends TaintTracking::Configuration {
SensitiveResultReceiverConf() { this = "SensitiveResultReceiverConf" }
override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof SensitiveExpr }
override predicate isSink(DataFlow::Node node) {
exists(ResultReceiverSendCall call |
untrustedResultReceiverSend(_, call) and
node.asExpr() = call.getSentData()
)
}
}
predicate sensitiveResultReceiver(
DataFlow::PathNode src, DataFlow::PathNode sink, DataFlow::Node recSrc
) {
exists(ResultReceiverSendCall call, SensitiveResultReceiverConf conf |
conf.hasFlowPath(src, sink) and
sink.getNode().asExpr() = call.getSentData() and
untrustedResultReceiverSend(recSrc, call)
)
}