File tree Expand file tree Collapse file tree 1 file changed +22
-0
lines changed
java/ql/lib/semmle/code/java/security Expand file tree Collapse file tree 1 file changed +22
-0
lines changed Original file line number Diff line number Diff line change @@ -38,6 +38,14 @@ private class DefaultIntentUriPermissionManipulationSink extends IntentUriPermis
3838 }
3939}
4040
41+ /**
42+ * Sanitizer that prevents access to arbitrary content providers by modifying the Intent in one of
43+ * the following ways:
44+ * * Removing the flags `FLAG_GRANT_READ_URI_PERMISSION` and `FLAG_GRANT_WRITE_URI_PERMISSION`.
45+ * * Setting the flags to a combination that doesn't include `FLAG_GRANT_READ_URI_PERMISSION` or
46+ * `FLAG_GRANT_WRITE_URI_PERMISSION`.
47+ * * Replacing the data URI.
48+ */
4149private class IntentFlagsOrDataChangedSanitizer extends IntentUriPermissionManipulationSanitizer {
4250 IntentFlagsOrDataChangedSanitizer ( ) {
4351 exists ( MethodAccess ma , Method m |
@@ -60,6 +68,20 @@ private class IntentFlagsOrDataChangedSanitizer extends IntentUriPermissionManip
6068 }
6169}
6270
71+ /**
72+ * A guard that checks an Intent's flags or data URI to make sure they are trusted.
73+ * It matches the following patterns:
74+ *
75+ * ```java
76+ * if (intent.getData().equals("trustedValue")) {}
77+ *
78+ * if (intent.getFlags() & Intent.FLAG_GRANT_READ_URI_PERMISSION == 0 &&
79+ * intent.getFlags() & Intent.FLAG_GRANT_WRITE_URI_PERMISSION == 0) {}
80+ *
81+ * if (intent.getFlags() & Intent.FLAG_GRANT_READ_URI_PERMISSION != 0 ||
82+ * intent.getFlags() & Intent.FLAG_GRANT_WRITE_URI_PERMISSION != 0) {}
83+ * ```
84+ */
6385private class IntentFlagsOrDataCheckedGuard extends IntentUriPermissionManipulationGuard {
6486 Expr condition ;
6587
You can’t perform that action at this time.
0 commit comments