Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 65e76ab

Browse files
luchua-bcluchua-bc
committed
Add remote source of Android intent extra
1 parent d4c5887 commit 65e76ab

3 files changed

Lines changed: 60 additions & 0 deletions

File tree

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import semmle.code.java.frameworks.SpringWeb
2020
import semmle.code.java.frameworks.Guice
2121
import semmle.code.java.frameworks.struts.StrutsActions
2222
import semmle.code.java.frameworks.Thrift
23+
import semmle.code.java.frameworks.android.Android
2324

2425
/** A data flow source of remote user input. */
2526
abstract class RemoteFlowSource extends DataFlow::Node {
@@ -270,3 +271,36 @@ class AndroidIntentInput extends DataFlow::Node {
270271
)
271272
}
272273
}
274+
275+
/**
276+
* Method access to external inputs of `android.content.Intent` object
277+
*/
278+
class IntentGetExtraMethodAccess extends MethodAccess {
279+
IntentGetExtraMethodAccess() {
280+
exists(AndroidComponent ac |
281+
this.getEnclosingCallable().getDeclaringType() = ac and ac.isExported()
282+
) and
283+
(
284+
this.getMethod().getName().regexpMatch("get\\w+Extra") and
285+
this.getMethod().getDeclaringType() instanceof TypeIntent
286+
or
287+
this.getMethod().getName().regexpMatch("get\\w+") and
288+
this.getQualifier().(MethodAccess).getMethod().hasName("getExtras") and
289+
this.getQualifier().(MethodAccess).getMethod().getDeclaringType() instanceof TypeIntent
290+
)
291+
}
292+
}
293+
294+
/**
295+
* Android intent extra source
296+
*/
297+
private class AndroidIntentExtraSource extends RemoteFlowSource {
298+
AndroidIntentExtraSource() {
299+
exists(MethodAccess ma |
300+
ma instanceof IntentGetExtraMethodAccess and
301+
this.asExpr().(VarAccess).getVariable().getAnAssignedValue() = ma
302+
)
303+
}
304+
305+
override string getSourceType() { result = "Android intent extra" }
306+
}

java/ql/src/semmle/code/java/frameworks/android/Android.qll

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,18 +32,39 @@ class AndroidComponent extends Class {
3232
/** An Android activity. */
3333
class AndroidActivity extends AndroidComponent {
3434
AndroidActivity() { this.getASupertype*().hasQualifiedName("android.app", "Activity") }
35+
36+
/** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */
37+
override predicate isExported() {
38+
getAndroidComponentXmlElement().isExported()
39+
or
40+
not getAndroidComponentXmlElement().isNotExported() and hasIntentFilter()
41+
}
3542
}
3643

3744
/** An Android service. */
3845
class AndroidService extends AndroidComponent {
3946
AndroidService() { this.getASupertype*().hasQualifiedName("android.app", "Service") }
47+
48+
/** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */
49+
override predicate isExported() {
50+
getAndroidComponentXmlElement().isExported()
51+
or
52+
not getAndroidComponentXmlElement().isNotExported() and hasIntentFilter()
53+
}
4054
}
4155

4256
/** An Android broadcast receiver. */
4357
class AndroidBroadcastReceiver extends AndroidComponent {
4458
AndroidBroadcastReceiver() {
4559
this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver")
4660
}
61+
62+
/** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */
63+
override predicate isExported() {
64+
getAndroidComponentXmlElement().isExported()
65+
or
66+
not getAndroidComponentXmlElement().isNotExported() and hasIntentFilter()
67+
}
4768
}
4869

4970
/** An Android content provider. */

java/ql/src/semmle/code/xml/AndroidManifest.qll

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,11 @@ class AndroidComponentXmlElement extends XMLElement {
137137
* Holds if the `android:exported` attribute of this component element is `true`.
138138
*/
139139
predicate isExported() { getExportedAttributeValue() = "true" }
140+
141+
/**
142+
* Holds if the `android:exported` attribute of this component element is explicitly set to `false`.
143+
*/
144+
predicate isNotExported() { getExportedAttributeValue() = "false" }
140145
}
141146

142147
/**

0 commit comments

Comments
 (0)