Merge pull request #8873 from atorralba/atorralba/android-startactivity-flowstep

aschackmull · web-flow · commit 25336df30282 · 2022-05-11T11:08:08.000+02:00
Java: Add flow step from startActivity to getIntent
diff --git a/java/ql/lib/change-notes/2022-04-26-startactivity-flow-step.md b/java/ql/lib/change-notes/2022-04-26-startactivity-flow-step.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
diff --git a/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll b/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
@@ -176,6 +176,25 @@ class GrantWriteUriPermissionFlag extends GrantUriPermissionFlag {
   GrantWriteUriPermissionFlag() { this.hasName("FLAG_GRANT_WRITE_URI_PERMISSION") }
 }
 
+/**
+ * A value-preserving step from the Intent argument of a `startActivity` call to
+ * a `getIntent` call in the Activity the Intent pointed to in its constructor.
+ */
+private class StartActivityIntentStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(MethodAccess startActivity, MethodAccess getIntent, ClassInstanceExpr newIntent |
+      startActivity.getMethod().overrides*(any(ContextStartActivityMethod m)) and
+      getIntent.getMethod().overrides*(any(AndroidGetIntentMethod m)) and
+      newIntent.getConstructedType() instanceof TypeIntent and
+      DataFlow::localExprFlow(newIntent, startActivity.getArgument(0)) and
+      newIntent.getArgument(1).getType().(ParameterizedType).getATypeArgument() =
+        getIntent.getReceiverType() and
+      n1.asExpr() = startActivity.getArgument(0) and
+      n2.asExpr() = getIntent
+    )
+  }
+}
+
 private class IntentBundleFlowSteps extends SummaryModelCsv {
   override predicate row(string row) {
     row =
diff --git a/java/ql/test/library-tests/frameworks/android/intent/AndroidManifest.xml b/java/ql/test/library-tests/frameworks/android/intent/AndroidManifest.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:versionCode="1"
+    android:versionName="1.0"
+    package="com.example.app">
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:label="@string/app_name"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme">
+
+        <activity
+            android:name=".TestStartActivityToGetIntent.SomeActivity"
+            android:exported="false">
+        </activity>
+
+    </application>
+</manifest>
diff --git a/java/ql/test/library-tests/frameworks/android/intent/TestStartActivityToGetIntent.java b/java/ql/test/library-tests/frameworks/android/intent/TestStartActivityToGetIntent.java
@@ -0,0 +1,25 @@
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+
+public class TestStartActivityToGetIntent {
+
+    static Object source() {
+        return null;
+    }
+
+    static void sink(Object sink) {}
+
+    public void test(Context ctx) {
+        Intent intent = new Intent(null, SomeActivity.class);
+        intent.putExtra("data", (String) source());
+        ctx.startActivity(intent);
+    }
+
+    static class SomeActivity extends Activity {
+
+        public void test() {
+            sink(getIntent().getStringExtra("data")); // $ hasValueFlow
+        }
+    }
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.