@@ -111,6 +111,31 @@ private predicate isSensitiveBroadcastSink(DataFlow::Node sink) {
111111 )
112112}
113113
114+ predicate isCleanIntent ( Expr intent ) {
115+ intent .getType ( ) instanceof TypeIntent and
116+ (
117+ exists ( MethodAccess setRecieverMa |
118+ setRecieverMa .getQualifier ( ) = intent and
119+ setRecieverMa .getMethod ( ) .hasName ( [ "setPackage" , "setClass" , "setClassName" , "setComponent" ] )
120+ )
121+ or
122+ // Handle the cases where the PackageContext and Class are set at construction time
123+ // Intent(Context packageContext, Class<?> cls)
124+ // Intent(String action, Uri uri, Context packageContext, Class<?> cls)
125+ exists ( ConstructorCall cc | cc = intent |
126+ cc .getConstructedType ( ) instanceof TypeIntent and
127+ cc .getNumArgument ( ) > 1 and
128+ (
129+ cc .getArgument ( 0 ) .getType ( ) instanceof TypeContext and
130+ not isNullArg ( cc .getArgument ( 1 ) )
131+ or
132+ cc .getArgument ( 2 ) .getType ( ) instanceof TypeContext and
133+ not isNullArg ( cc .getArgument ( 3 ) )
134+ )
135+ )
136+ )
137+ }
138+
114139/**
115140 * Taint configuration tracking flow from variables containing sensitive information to broadcast intents.
116141 */
@@ -127,9 +152,8 @@ class SensitiveBroadcastConfig extends TaintTracking::Configuration {
127152 * Holds if broadcast doesn't specify receiving package name of the 3rd party app
128153 */
129154 override predicate isSanitizer ( DataFlow:: Node node ) {
130- exists ( MethodAccess setReceiverMa |
131- setReceiverMa .getMethod ( ) .hasName ( [ "setPackage" , "setClass" , "setClassName" , "setComponent" ] ) and
132- setReceiverMa .getQualifier ( ) .( VarAccess ) .getVariable ( ) .getAnAccess ( ) = node .asExpr ( )
155+ exists ( DataFlow:: Node intent | isCleanIntent ( intent .asExpr ( ) ) |
156+ DataFlow:: localFlow ( intent , node )
133157 )
134158 }
135159
0 commit comments