hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Refactor to actually build the full flows from src to sink

Browse Source 
Add more tests for edge cases
This commit is contained in:
Tony Torralba
2021-08-26 12:21:57 +02:00
parent 4dd9e7d6a0
commit bc6c13be69
4 changed files with 84 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
View File

@@ -55,6 +55,12 @@ public class AndroidIntentRedirectionTest extends Activity {
}
try {
{
// Delayed cast
Object obj = getIntent().getParcelableExtra("forward_intent");
Intent fwdIntent = (Intent) obj;
startActivity(fwdIntent); // $ hasAndroidIntentRedirection
}
{
Intent fwdIntent = new Intent();
fwdIntent.setClassName((Context) null, (String) intent.getExtra("className"));
@@ -132,11 +138,6 @@ public class AndroidIntentRedirectionTest extends Activity {
fwdIntent.setComponent(component);
startActivity(fwdIntent); // $ hasAndroidIntentRedirection
}
{
Intent originalIntent = getIntent();
Intent fwdIntent = (Intent) originalIntent.getParcelableExtra("forward_intent");
startActivity(originalIntent); // Safe - not an Intent obtained from the Extras
}
{
Intent originalIntent = getIntent();
ComponentName cp = new ComponentName(originalIntent.getStringExtra("packageName"),
@@ -146,10 +147,35 @@ public class AndroidIntentRedirectionTest extends Activity {
startActivity(originalIntent); // Safe - not a tainted Intent
}
{
// Delayed cast
Object obj = getIntent().getParcelableExtra("forward_intent");
Intent fwdIntent = (Intent) obj;
startActivity(fwdIntent); // $ hasAndroidIntentRedirection
Intent originalIntent = getIntent();
Intent fwdIntent = (Intent) originalIntent.getParcelableExtra("forward_intent");
if (originalIntent.getBooleanExtra("use_fwd_intent", false)) {
startActivity(fwdIntent); // $ hasAndroidIntentRedirection
} else {
startActivity(originalIntent); // Safe - not an Intent obtained from the Extras
}
}
{
Intent originalIntent = getIntent();
originalIntent.setClassName(originalIntent.getStringExtra("package_name"),
originalIntent.getStringExtra("class_name"));
startActivity(originalIntent); // $ hasAndroidIntentRedirection
}
{
Intent originalIntent = getIntent();
originalIntent.setClassName("not_user_provided", "not_user_provided");
startActivity(originalIntent); // Safe - component changed but not tainted
}
{
Intent originalIntent = getIntent();
Intent fwdIntent;
if (originalIntent.getBooleanExtra("use_fwd_intent", false)) {
fwdIntent = (Intent) originalIntent.getParcelableExtra("forward_intent");
} else {
fwdIntent = originalIntent;
}
// Conditionally tainted sinks aren't supported currently
startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection
}
} catch (Exception e) {
}

6
java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.ql
View File

@@ -9,10 +9,10 @@ class HasAndroidIntentRedirectionTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasAndroidIntentRedirection" and
exists(DataFlow::PathNode src, DataFlow::PathNode sink |
hasIntentRedirectionFlowPath(src, sink)
exists(DataFlow::Node src, DataFlow::Node sink, IntentRedirectionConfiguration conf |
conf.hasFlow(src, sink)
|
sink.getNode().getLocation() = location and
sink.getLocation() = location and
element = sink.toString() and
value = ""
)