Make bitwise taintsteps specific for this query

atorralba · atorralba · commit 265f8a3b1921 · 2022-01-20T13:23:56.000+01:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -176,8 +176,6 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
   serializationStep(src, sink)
   or
   formatStep(src, sink)
-  or
-  bitwiseStep(src, sink)
 }
 
 /**
@@ -527,9 +525,6 @@ private class FormatterCallable extends TaintPreservingCallable {
   }
 }
 
-/** Holds if taint may flow from the operand of a bitwise expression to its result. */
-private predicate bitwiseStep(Expr src, BitwiseExpr sink) { sink.(BinaryExpr).getAnOperand() = src }
-
 private import StringBuilderVarModule
 
 module StringBuilderVarModule {
diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll
@@ -31,6 +31,18 @@ abstract class IntentUriPermissionManipulationSanitizer extends DataFlow::Node {
  */
 abstract class IntentUriPermissionManipulationGuard extends DataFlow::BarrierGuard { }
 
+/**
+ * An additional taint step for flows related to Intent URI permission manipulation
+ * vulnerabilities.
+ */
+class IntentUriPermissionManipulationAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step for flows related to Intent URI permission manipulation vulnerabilities.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
 private class DefaultIntentUriPermissionManipulationSink extends IntentUriPermissionManipulationSink {
   DefaultIntentUriPermissionManipulationSink() {
     exists(MethodAccess ma | ma.getMethod() instanceof ActivitySetResultMethod |
@@ -55,14 +67,11 @@ private class IntentFlagsOrDataChangedSanitizer extends IntentUriPermissionManip
       this.asExpr() = ma.getQualifier()
     |
       m.hasName("removeFlags") and
-      TaintTracking::localExprTaint(any(GrantReadUriPermissionFlag f).getAnAccess(),
-        ma.getArgument(0)) and
-      TaintTracking::localExprTaint(any(GrantWriteUriPermissionFlag f).getAnAccess(),
-        ma.getArgument(0))
+      bitwiseLocalTaintStep*(any(GrantReadUriPermissionFlag f).getAnAccess(), ma.getArgument(0)) and
+      bitwiseLocalTaintStep*(any(GrantWriteUriPermissionFlag f).getAnAccess(), ma.getArgument(0))
       or
       m.hasName("setFlags") and
-      not TaintTracking::localExprTaint(any(GrantUriPermissionFlag f).getAnAccess(),
-        ma.getArgument(0))
+      not bitwiseLocalTaintStep*(any(GrantUriPermissionFlag f).getAnAccess(), ma.getArgument(0))
       or
       m.hasName("setData")
     )
@@ -101,7 +110,7 @@ private predicate intentFlagsOrDataChecked(Guard g, Expr intent, boolean branch)
     ma.getMethod() = m and
     m.getDeclaringType() instanceof TypeIntent and
     m.hasName(["getFlags", "getData"]) and
-    TaintTracking::localExprTaint(ma, checkedValue)
+    bitwiseLocalTaintStep*(ma, checkedValue)
   |
     bitwiseCheck(g, branch) and
     checkedValue = g.(EqualityTest).getAnOperand().(AndBitwiseExpr)
@@ -123,3 +132,12 @@ private predicate bitwiseCheck(Guard g, boolean branch) {
     else g.(EqualityTest).polarity().booleanNot() = branch
   )
 }
+
+/**
+ * Holds if taint can flow from `source` to `sink` in one local step,
+ * including bitwise operations.
+ */
+private predicate bitwiseLocalTaintStep(Expr source, Expr sink) {
+  TaintTracking::localTaintStep(DataFlow::exprNode(source), DataFlow::exprNode(sink)) or
+  source = sink.(BinaryExpr).getAnOperand()
+}
diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll
@@ -27,4 +27,8 @@ class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {
   override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
     guard instanceof IntentUriPermissionManipulationGuard
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -176,8 +176,6 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {`
`176`	`176`	`serializationStep(src, sink)`
`177`	`177`	`or`
`178`	`178`	`formatStep(src, sink)`
`179`		`- or`
`180`		`- bitwiseStep(src, sink)`
`181`	`179`	`}`
`182`	`180`
`183`	`181`	`/**`
`@@ -527,9 +525,6 @@ private class FormatterCallable extends TaintPreservingCallable {`
`527`	`525`	`}`
`528`	`526`	`}`
`529`	`527`
`530`		`-/** Holds if taint may flow from the operand of a bitwise expression to its result. */`
`531`		`-private predicate bitwiseStep(Expr src, BitwiseExpr sink) { sink.(BinaryExpr).getAnOperand() = src }`
`532`		`-`
`533`	`528`	`private import StringBuilderVarModule`
`534`	`529`
`535`	`530`	`module StringBuilderVarModule {`
Original file line number	Diff line number	Diff line change
`@@ -27,4 +27,8 @@ class IntentUriPermissionManipulationConf extends TaintTracking::Configuration {`
`27`	`27`	`override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {`
`28`	`28`	`guard instanceof IntentUriPermissionManipulationGuard`
`29`	`29`	`}`
	`30`	`+`
	`31`	`+ override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {`
	`32`	`+ any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)`
	`33`	`+ }`
`30`	`34`	`}`