Skip to content

Commit 3957ebe

Browse files
atorralbaatorralba
committed
Fix bitwiseLocalTaintStep
1 parent 265f8a3 commit 3957ebe

File tree

1 file changed

+10
-7
lines changed

1 file changed

+10
-7
lines changed

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulation.qll

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -67,11 +67,14 @@ private class IntentFlagsOrDataChangedSanitizer extends IntentUriPermissionManip
6767
this.asExpr() = ma.getQualifier()
6868
|
6969
m.hasName("removeFlags") and
70-
bitwiseLocalTaintStep*(any(GrantReadUriPermissionFlag f).getAnAccess(), ma.getArgument(0)) and
71-
bitwiseLocalTaintStep*(any(GrantWriteUriPermissionFlag f).getAnAccess(), ma.getArgument(0))
70+
bitwiseLocalTaintStep*(DataFlow::exprNode(any(GrantReadUriPermissionFlag f).getAnAccess()),
71+
DataFlow::exprNode(ma.getArgument(0))) and
72+
bitwiseLocalTaintStep*(DataFlow::exprNode(any(GrantWriteUriPermissionFlag f).getAnAccess()),
73+
DataFlow::exprNode(ma.getArgument(0)))
7274
or
7375
m.hasName("setFlags") and
74-
not bitwiseLocalTaintStep*(any(GrantUriPermissionFlag f).getAnAccess(), ma.getArgument(0))
76+
not bitwiseLocalTaintStep*(DataFlow::exprNode(any(GrantUriPermissionFlag f).getAnAccess()),
77+
DataFlow::exprNode(ma.getArgument(0)))
7578
or
7679
m.hasName("setData")
7780
)
@@ -110,7 +113,7 @@ private predicate intentFlagsOrDataChecked(Guard g, Expr intent, boolean branch)
110113
ma.getMethod() = m and
111114
m.getDeclaringType() instanceof TypeIntent and
112115
m.hasName(["getFlags", "getData"]) and
113-
bitwiseLocalTaintStep*(ma, checkedValue)
116+
bitwiseLocalTaintStep*(DataFlow::exprNode(ma), DataFlow::exprNode(checkedValue))
114117
|
115118
bitwiseCheck(g, branch) and
116119
checkedValue = g.(EqualityTest).getAnOperand().(AndBitwiseExpr)
@@ -137,7 +140,7 @@ private predicate bitwiseCheck(Guard g, boolean branch) {
137140
* Holds if taint can flow from `source` to `sink` in one local step,
138141
* including bitwise operations.
139142
*/
140-
private predicate bitwiseLocalTaintStep(Expr source, Expr sink) {
141-
TaintTracking::localTaintStep(DataFlow::exprNode(source), DataFlow::exprNode(sink)) or
142-
source = sink.(BinaryExpr).getAnOperand()
143+
private predicate bitwiseLocalTaintStep(DataFlow::Node source, DataFlow::Node sink) {
144+
TaintTracking::localTaintStep(source, sink) or
145+
source.asExpr() = sink.asExpr().(BitwiseExpr).(BinaryExpr).getAnOperand()
143146
}

0 commit comments

Comments
 (0)