Add more sinks

Also, fix things after rebase
2026-05-05 21:55:19 +02:00 · 2021-10-18 12:00:07 +02:00
parent 28ae4c211f
commit d1d2d61d7e
8 changed files with 68 additions and 25 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -104,6 +104,7 @@ private module Frameworks {
  private import semmle.code.java.frameworks.spring.SpringBeans
  private import semmle.code.java.frameworks.spring.SpringWebMultipart
  private import semmle.code.java.frameworks.spring.SpringWebUtil
+  private import semmle.code.java.security.AndroidIntentRedirection
  private import semmle.code.java.security.ResponseSplitting
  private import semmle.code.java.security.InformationLeak
  private import semmle.code.java.security.GroovyInjection
--- a/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
@@ -10,6 +10,11 @@ class TypeIntent extends Class {
  TypeIntent() { hasQualifiedName("android.content", "Intent") }
 }

+/** The class `android.content.ComponentName`. */
+class TypeComponentName extends Class {
+  TypeComponentName() { this.hasQualifiedName("android.content", "ComponentName") }
+}
+
 /**
 * The class `android.app.Activity`.
 */
@@ -236,3 +241,35 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
      ]
  }
 }
+
+private class IntentComponentTaintSteps extends SummaryModelCsv {
+  override predicate row(string s) {
+    s =
+      [
+        "android.content;Intent;true;Intent;(Intent);;Argument[0];Argument[-1];taint",
+        "android.content;Intent;true;Intent;(Context,Class);;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;Intent;(String,Uri,Context,Class);;Argument[3];Argument[-1];taint",
+        "android.content;Intent;true;setPackage;;;Argument[0];Argument[-1];taint",
+        "android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;taint",
+        "android.content;Intent;true;setClass;;;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;setClass;;;Argument[-1];ReturnValue;taint",
+        "android.content;Intent;true;setClassName;(Context,String);;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;setClassName;(String,String);;Argument[0..1];Argument[-1];taint",
+        "android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;taint",
+        "android.content;Intent;true;setComponent;;;Argument[0];Argument[-1];taint",
+        "android.content;Intent;true;setComponent;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;ComponentName;(String,String);;Argument[0..1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Context,String);;Argument[1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Context,Class);;Argument[1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Parcel);;Argument[0];Argument[-1];taint",
+        "android.content;ComponentName;false;createRelative;(String,String);;Argument[0..1];ReturnValue;taint",
+        "android.content;ComponentName;false;createRelative;(Context,String);;Argument[1];ReturnValue;taint",
+        "android.content;ComponentName;false;flattenToShortString;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;flattenToString;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getClassName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getPackageName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getShortClassName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;unflattenFromString;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
@@ -32,6 +32,8 @@ private class DefaultIntentRedirectionSinkModel extends SinkModelCsv {
  override predicate row(string row) {
    row =
      [
+        "android.app;Activity;true;bindService;;;Argument[0];intent-start",
+        "android.app;Activity;true;bindServiceAsUser;;;Argument[0];intent-start",
        "android.app;Activity;true;startActivityAsCaller;;;Argument[0];intent-start",
        "android.app;Activity;true;startActivityForResult;(Intent,int);;Argument[0];intent-start",
        "android.app;Activity;true;startActivityForResult;(Intent,int,Bundle);;Argument[0];intent-start",
@@ -43,6 +45,7 @@ private class DefaultIntentRedirectionSinkModel extends SinkModelCsv {
        "android.content;Context;true;startActivityFromChild;;;Argument[1];intent-start",
        "android.content;Context;true;startActivityFromFragment;;;Argument[1];intent-start",
        "android.content;Context;true;startActivityIfNeeded;;;Argument[0];intent-start",
+        "android.content;Context;true;startForegroundService;;;Argument[0];intent-start",
        "android.content;Context;true;startService;;;Argument[0];intent-start",
        "android.content;Context;true;startServiceAsUser;;;Argument[0];intent-start",
        "android.content;Context;true;sendBroadcast;;;Argument[0];intent-start",