Add support for Slices

2026-05-01 03:35:13 +02:00 · 2021-10-04 13:20:52 +02:00
parent d43242d09e
commit e58a8587db
3 changed files with 104 additions and 15 deletions
--- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
+++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
@@ -2,10 +2,8 @@

 import java
 private import semmle.code.java.dataflow.ExternalFlow
-private import semmle.code.java.dataflow.TaintTracking
-private import semmle.code.java.frameworks.android.Intent

-private class PendingIntentModels extends SinkModelCsv {
+private class PendingIntentCreationModels extends SinkModelCsv {
  override predicate row(string row) {
    row =
      [
@@ -17,6 +15,16 @@ private class PendingIntentModels extends SinkModelCsv {
  }
 }

+private class PendingIntentSentSinkModels extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "androidx.slice;SliceProvider;true;onBindSlice;;;ReturnValue;pending-intent-sent",
+        "androidx.slice;SliceProvider;true;onCreatePermissionRequest;;;ReturnValue;pending-intent-sent"
+      ]
+  }
+}
+
 // TODO: Remove when https://github.com/github/codeql/pull/6397 gets merged
 private class DefaultIntentRedirectionSinkModel extends SinkModelCsv {
  override predicate row(string row) {
--- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
@@ -17,16 +17,7 @@ class ImplicitPendingIntentStartConf extends TaintTracking::Configuration {
    source.asExpr() instanceof ImplicitPendingIntentCreation
  }

-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof IntentStartSink and
-    // startService can't actually start implicit intents since API 21
-    not exists(MethodAccess ma, Method m |
-      ma.getMethod() = m and
-      m.getDeclaringType().getASupertype*() instanceof TypeContext and
-      m.hasName("startService") and
-      sink.asExpr() = ma.getArgument(0)
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SendPendingIntent }

  override predicate isSanitizer(DataFlow::Node sanitizer) {
    sanitizer instanceof ExplicitIntentSanitizer
@@ -49,8 +40,19 @@ private class ImplicitPendingIntentCreation extends Expr {
  }
 }

-private class IntentStartSink extends DataFlow::Node {
-  IntentStartSink() { sinkNode(this, "intent-start") }
+private class SendPendingIntent extends DataFlow::Node {
+  SendPendingIntent() {
+    sinkNode(this, "intent-start") and
+    // startService can't actually start implicit intents since API 21
+    not exists(MethodAccess ma, Method m |
+      ma.getMethod() = m and
+      m.getDeclaringType().getASupertype*() instanceof TypeContext and
+      m.hasName("startService") and
+      this.asExpr() = ma.getArgument(0)
+    )
+    or
+    sinkNode(this, "pending-intent-sent")
+  }
 }

 private class ImplicitPendingIntentConf extends DataFlow2::Configuration {