Remove PendingIntentAsField step and add SliceProviderLifecycle step

atorralba · atorralba · commit 6fe0b789782f · 2022-01-20T16:52:07.000+01:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/android/Slice.qll b/java/ql/lib/semmle/code/java/frameworks/android/Slice.qll
@@ -5,6 +5,36 @@ private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.dataflow.ExternalFlow
 
+/** The class `androidx.slice.SliceProvider`. */
+class SliceProvider extends Class {
+  SliceProvider() { this.hasQualifiedName("androidx.slice", "SliceProvider") }
+}
+
+/**
+ * An additional value step for modeling the lifecycle of a `SliceProvider`.
+ * It connects the `PostUpdateNode` of any update done to the provider object in
+ * `onCreateSliceProvider` to the instance parameter of `onBindSlice`.
+ */
+private class SliceProviderLifecycleStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(Method onCreate, Method onBind, RefType declaringClass |
+      declaringClass.getASupertype*() instanceof SliceProvider and
+      onCreate.getDeclaringType() = declaringClass and
+      onCreate.hasName("onCreateSliceProvider") and
+      onBind.getDeclaringType() = declaringClass and
+      onBind.hasName("onBindSlice")
+    |
+      node1
+          .(DataFlow::PostUpdateNode)
+          .getPreUpdateNode()
+          .(DataFlow::InstanceAccessNode)
+          .isOwnInstanceAccess() and
+      node1.getEnclosingCallable() = onCreate and
+      node2.(DataFlow::InstanceParameterNode).getEnclosingCallable() = onBind
+    )
+  }
+}
+
 private class SliceActionsInheritTaint extends DataFlow::SyntheticFieldContent,
   TaintInheritingContent {
   SliceActionsInheritTaint() { this.getField().matches("androidx.slice.Slice.action") }
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
@@ -68,21 +68,7 @@ private class SendPendingIntent extends ImplicitPendingIntentSink {
   override predicate hasState(DataFlow::FlowState state) { state = "MutablePendingIntent" }
 }
 
-/**
- * Propagates taint from any tainted object to reads from its `PendingIntent`-typed fields.
- */
-private class PendingIntentAsFieldAdditionalTaintStep extends ImplicitPendingIntentAdditionalTaintStep {
-  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(Field f |
-      f.getType() instanceof PendingIntent and
-      node1.(DataFlow::PostUpdateNode).getPreUpdateNode() =
-        DataFlow::getFieldQualifier(f.getAnAccess().(FieldWrite)) and
-      node2.asExpr().(FieldRead).getField() = f
-    )
-  }
-}
-
-private class MutablePendingIntentFlowStep extends PendingIntentAsFieldAdditionalTaintStep {
+private class MutablePendingIntentFlowStep extends ImplicitPendingIntentAdditionalTaintStep {
   override predicate step(
     DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
     DataFlow::FlowState state2
