Java: Refactor SensitiveCommunication.ql.

Author: aschackmull

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

@@ -122,9 +122,11 @@ private predicate isStartActivityOrServiceSink(DataFlow::Node arg) {
 }
 
 /**
+ * DEPRECATED: Use `SensitiveCommunicationFlow` instead.
+ *
  * Taint configuration tracking flow from variables containing sensitive information to broadcast Intents.
  */
-class SensitiveCommunicationConfig extends TaintTracking::Configuration {
+deprecated class SensitiveCommunicationConfig extends TaintTracking::Configuration {
   SensitiveCommunicationConfig() { this = "Sensitive Communication Configuration" }
 
   override predicate isSource(DataFlow::Node source) {
@@ -148,3 +150,27 @@ class SensitiveCommunicationConfig extends TaintTracking::Configuration {
     this.isSink(node)
   }
 }
+
+private module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveInfoExpr }
+
+  predicate isSink(DataFlow::Node sink) {
+    isSensitiveBroadcastSink(sink)
+    or
+    isStartActivityOrServiceSink(sink)
+  }
+
+  /**
+   * Holds if broadcast doesn't specify receiving package name of the 3rd party app
+   */
+  predicate isBarrier(DataFlow::Node node) { node instanceof ExplicitIntentSanitizer }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    isSink(node) and exists(c)
+  }
+}
+
+/**
+ * Tracks taint flow from variables containing sensitive information to broadcast Intents.
+ */
+module SensitiveCommunicationFlow = TaintTracking::Make<SensitiveCommunicationConfig>;

java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql

@@ -13,9 +13,9 @@
 
 import java
 import semmle.code.java.security.AndroidSensitiveCommunicationQuery
-import DataFlow::PathGraph
+import SensitiveCommunicationFlow::PathGraph
 
-from SensitiveCommunicationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from SensitiveCommunicationFlow::PathNode source, SensitiveCommunicationFlow::PathNode sink
+where SensitiveCommunicationFlow::hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This call may leak $@.", source.getNode(),
   "sensitive information"

java/ql/test/query-tests/security/CWE-927/SensitiveCommunication.ql

@@ -3,14 +3,10 @@ import semmle.code.java.security.AndroidSensitiveCommunicationQuery
 import TestUtilities.InlineExpectationsTest
 import TestUtilities.InlineFlowTest
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class HasFlowTest extends InlineFlowTest {
-  override DataFlow::Configuration getTaintFlowConfig() {
-    result = any(SensitiveCommunicationConfig c)
-  }
+  override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
 
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
+    SensitiveCommunicationFlow::hasFlow(src, sink)
+  }
 }