Add intermediate dataflow

atorralba · atorralba · commit aa2cdb7a5343 · 2021-10-18T11:09:30.000+02:00
Make sure that source intents are obtained from another intent's extras
diff --git a/java/ql/src/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/src/semmle/code/java/security/AndroidIntentRedirectionQuery.qll
@@ -11,7 +11,7 @@ import semmle.code.java.security.AndroidIntentRedirection
 class IntentRedirectionConfiguration extends TaintTracking::Configuration {
   IntentRedirectionConfiguration() { this = "IntentRedirectionConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof IntentRedirectionSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
 
@@ -23,3 +23,35 @@ class IntentRedirectionConfiguration extends TaintTracking::Configuration {
     any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)
   }
 }
+
+/** The method `getParcelableExtra` called on a tainted `Intent`. */
+private class IntentRedirectionSource extends DataFlow::Node {
+  IntentRedirectionSource() {
+    exists(GetParcelableExtra ma | this.asExpr() = ma.getQualifier()) and
+    exists(IntentToGetParcelableExtraConf conf | conf.hasFlowTo(this))
+  }
+}
+
+/**
+ * Data flow from a remote intent to the qualifier of a `getParcelableExtra` call.
+ */
+private class IntentToGetParcelableExtraConf extends DataFlow2::Configuration {
+  IntentToGetParcelableExtraConf() { this = "IntentToGetParcelableExtraConf" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(GetParcelableExtra ma | sink.asExpr() = ma.getQualifier())
+  }
+}
+
+/** A call to the method `Intent.getParcelableExtra`. */
+private class GetParcelableExtra extends MethodAccess {
+  GetParcelableExtra() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.getDeclaringType() instanceof TypeIntent and
+      m.hasName("getParcelableExtra")
+    )
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java b/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
@@ -21,6 +21,8 @@ public void onCreate(Bundle savedInstanceState) {
             startActivity(intent); // $ hasAndroidIntentRedirection
         }
 
+        startActivity(getIntent()); // Safe - not an intent obtained from the Extras
+
         // @formatter:off
         startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirection
         startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirection

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ public void onCreate(Bundle savedInstanceState) {`
`21`	`21`	`startActivity(intent); // $ hasAndroidIntentRedirection`
`22`	`22`	`}`
`23`	`23`
	`24`	`+ startActivity(getIntent()); // Safe - not an intent obtained from the Extras`
	`25`	`+`
`24`	`26`	`// @formatter:off`
`25`	`27`	`startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirection`
`26`	`28`	`startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirection`