Add intent creation from a URI as a taint step

atorralba · atorralba · commit 392e2eebebb7 · 2021-10-18T12:18:07.000+02:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll b/java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
@@ -249,6 +249,9 @@ private class IntentComponentTaintSteps extends SummaryModelCsv {
         "android.content;Intent;true;Intent;(Intent);;Argument[0];Argument[-1];taint",
         "android.content;Intent;true;Intent;(Context,Class);;Argument[1];Argument[-1];taint",
         "android.content;Intent;true;Intent;(String,Uri,Context,Class);;Argument[3];Argument[-1];taint",
+        "android.content;Intent;true;getIntent;(String);;Argument[0];ReturnValue;taint",
+        "android.content;Intent;true;getIntentOld;(String);;Argument[0];ReturnValue;taint",
+        "android.content;Intent;true;parseUri;(String,int);;Argument[0];ReturnValue;taint",
         "android.content;Intent;true;setPackage;;;Argument[0];Argument[-1];taint",
         "android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;taint",
         "android.content;Intent;true;setClass;;;Argument[1];Argument[-1];taint",
diff --git a/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java b/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
@@ -179,6 +179,18 @@ public void onCreate(Bundle savedInstanceState) {
                 // Conditionally tainted sinks aren't supported currently
                 startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection
             }
+            {
+                Intent fwdIntent = Intent.parseUri(getIntent().getStringExtra("uri"), 0);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = Intent.getIntent(getIntent().getStringExtra("uri"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = Intent.getIntentOld(getIntent().getStringExtra("uri"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
         } catch (Exception e) {
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,18 @@ public void onCreate(Bundle savedInstanceState) {`
`179`	`179`	`// Conditionally tainted sinks aren't supported currently`
`180`	`180`	`startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection`
`181`	`181`	`}`
	`182`	`+ {`
	`183`	`+ Intent fwdIntent = Intent.parseUri(getIntent().getStringExtra("uri"), 0);`
	`184`	`+ startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
	`185`	`+ }`
	`186`	`+ {`
	`187`	`+ Intent fwdIntent = Intent.getIntent(getIntent().getStringExtra("uri"));`
	`188`	`+ startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
	`189`	`+ }`
	`190`	`+ {`
	`191`	`+ Intent fwdIntent = Intent.getIntentOld(getIntent().getStringExtra("uri"));`
	`192`	`+ startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
	`193`	`+ }`
`182`	`194`	`} catch (Exception e) {`
`183`	`195`	`}`
`184`	`196`	`}`