Add support for implicit field read flows

Author: atorralba

java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll

@@ -23,10 +23,19 @@ class ImplicitPendingIntentStartConf extends TaintTracking::Configuration {
     sanitizer instanceof ExplicitIntentSanitizer
   }
 
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(Field f |
+      f.getType() instanceof PendingIntent and
+      node1.(DataFlow::PostUpdateNode).getPreUpdateNode() =
+        DataFlow::getFieldQualifier(f.getAnAccess().(FieldWrite)) and
+      node2.asExpr().(FieldRead).getField() = f
+    )
+  }
+
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
-    super.allowImplicitRead(node, c)
-    or
-    this.isSink(node)
+    super.allowImplicitRead(node, c) or
+    this.isSink(node) or
+    this.isAdditionalTaintStep(node, _)
   }
 }
 

java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java

@@ -90,6 +90,8 @@ public static void test(Context ctx) throws PendingIntent.CanceledException {
 
     static class TestSliceProvider extends SliceProvider {
 
+        private PendingIntent mPendingIntent;
+
         @Override
         public Slice onBindSlice(Uri sliceUri) {
             if (sliceUri.getAuthority().equals("1")) {
@@ -110,7 +112,7 @@ public Slice onBindSlice(Uri sliceUri) {
                         .setPrimaryAction(activityAction));
                 return listBuilder.build(); // Safe
 
-            } else {
+            } else if (sliceUri.getAuthority().equals("3")) {
                 Intent baseIntent = new Intent();
                 PendingIntent pi = PendingIntent.getActivity(getContext(), 0, baseIntent,
                         PendingIntent.FLAG_IMMUTABLE); // Sanitizer
@@ -119,6 +121,14 @@ public Slice onBindSlice(Uri sliceUri) {
                 listBuilder.addRow(new ListBuilder.RowBuilder().setTitle("Title")
                         .setPrimaryAction(activityAction));
                 return listBuilder.build(); // Safe
+
+            } else {
+                // Testing implicit field read flows:
+                // mPendingIntent is set in onCreateSliceProvider
+                SliceAction action = SliceAction.createDeeplink(mPendingIntent, null, 0, "");
+                ListBuilder listBuilder = new ListBuilder(getContext(), sliceUri, 0);
+                listBuilder.addRow(new ListBuilder.RowBuilder(sliceUri).setPrimaryAction(action));
+                return listBuilder.build(); // $hasTaintFlow
             }
         }
 
@@ -136,12 +146,17 @@ public PendingIntent onCreatePermissionRequest(Uri sliceUri, String callingPacka
             }
         }
 
-        // Implementations needed for compilation
         @Override
         public boolean onCreateSliceProvider() {
+            // Testing implicit field read flows:
+            // mPendingIntent is used in onBindSlice
+            Intent baseIntent = new Intent();
+            mPendingIntent = PendingIntent.getActivity(getContext(), 0, baseIntent, 0);
             return true;
         }
 
+        // Implementations needed for compilation
+
         @Override
         public AssetFileDescriptor openTypedAssetFile(Uri uri, String mimeTypeFilter, Bundle opts,
                 CancellationSignal signal) throws RemoteException, FileNotFoundException {