First version of the query

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirect.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Android Intent redirect
+ * @description xxx
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity xx
+ * @precision high
+ * @id java/android/unsafe-android-webview-fetch
+ * @tags security
+ *       external/cwe/cwe-926
+ *       external/cwe/cwe-940
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidIntentRedirectQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, IntentRedirectConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Arbitrary Android activities or services can be started from $@.", source.getNode(),
+  "this user input"

java/ql/src/semmle/code/java/security/AndroidIntentRedirectQuery.qll

@@ -0,0 +1,24 @@
+/** Provides taint tracking configurations to be used in Android Intent Redirect queries. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A taint tracking configuration for user-provided Intents being used to start Android components.
+ */
+class IntentRedirectConfiguration extends TaintTracking::Configuration {
+  IntentRedirectConfiguration() { this = "IntentRedirectConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof StartActivityMethod or
+      ma.getMethod() instanceof StartServiceMethod or
+      ma.getMethod() instanceof SendBroadcastMethod
+    |
+      ma.getArgument(0) = sink.asExpr()
+    )
+  }
+}