add service flow sources

Author: Jami Cogswell

java/ql/lib/semmle/code/java/dataflow/FlowSources.qll

@@ -250,6 +250,12 @@ class AndroidIntentInput extends DataFlow::Node {
       this.asParameter() = m.getParameter(1) and
       receiverType = m.getDeclaringType()
     )
+    or
+    exists(Method m, AndroidServiceIntentMethod sI |
+      m.overrides*(sI) and
+      this.asParameter() = m.getParameter(0) and
+      receiverType = m.getDeclaringType()
+    )
   }
 }
 

java/ql/lib/semmle/code/java/frameworks/android/Intent.qll

@@ -22,6 +22,13 @@ class TypeActivity extends Class {
   TypeActivity() { this.hasQualifiedName("android.app", "Activity") }
 }
 
+/**
+ * The class `android.app.Service`.
+ */
+class TypeService extends Class {
+  TypeService() { this.hasQualifiedName("android.app", "Service") }
+}
+
 /**
  * The class `android.content.Context`.
  */
@@ -57,6 +64,22 @@ class AndroidReceiveIntentMethod extends Method {
   }
 }
 
+/**
+ * A method of type Service that receives an Intent.
+ * Namely, `Service.onStart`, `onStartCommand`, `onBind`,
+ * `onRebind`, `onUnbind`, or `onTaskRemoved`
+ */
+class AndroidServiceIntentMethod extends Method {
+  AndroidServiceIntentMethod() {
+    (
+      this.getName().matches("onStart%") or
+      this.getName().matches("on%ind") or
+      this.hasName("onTaskRemoved")
+    ) and
+    this.getDeclaringType() instanceof TypeService
+  }
+}
+
 /**
  * The method `Context.startActivity` or `startActivities`.
  */