Added tests and stubs

Author: atorralba

java/ql/src/semmle/code/java/security/AndroidIntentRedirect.qll

@@ -0,0 +1,29 @@
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.frameworks.android.Intent
+
+abstract class IntentRedirectSink extends DataFlow::Node { }
+
+abstract class IntentRedirectSanitizer extends DataFlow::Node { }
+
+class IntentRedirectAdditionalTaintStep extends Unit {
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
+private class DefaultIntentRedirectSink extends IntentRedirectSink {
+  DefaultIntentRedirectSink() {
+    exists(MethodAccess ma, Method m |
+      ma.getMethod() = m and
+      this.asExpr() = ma.getAnArgument() and
+      (
+        this.asExpr().getType() instanceof TypeIntent
+        or
+        this.asExpr().getType().(Array).getComponentType() instanceof TypeIntent
+      )
+    |
+      m instanceof StartActivityMethod or
+      m instanceof StartServiceMethod or
+      m instanceof SendBroadcastMethod
+    )
+  }
+}

java/ql/src/semmle/code/java/security/AndroidIntentRedirectQuery.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.AndroidIntentRedirect
 
 /**
  * A taint tracking configuration for user-provided Intents being used to start Android components.
@@ -12,13 +13,13 @@ class IntentRedirectConfiguration extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof StartActivityMethod or
-      ma.getMethod() instanceof StartServiceMethod or
-      ma.getMethod() instanceof SendBroadcastMethod
-    |
-      ma.getArgument(0) = sink.asExpr()
-    )
+  override predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectSink }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof IntentRedirectSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(IntentRedirectAdditionalTaintStep c).step(node1, node2)
   }
 }

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectTest.expected

@@ -0,0 +1,55 @@
+package com.example.app;
+
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+
+public class AndroidIntentRedirectTest extends Activity {
+    AndroidIntentRedirectTest(Context base) {
+        super(base);
+    }
+
+    public void onCreate(Bundle savedInstanceState) {
+        {
+            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
+            startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirect
+            startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirect
+            startActivity(intent); // $ hasAndroidIntentRedirect
+            startActivity(intent, null); // $ hasAndroidIntentRedirect
+            startActivityAsUser(intent, null); // $ hasAndroidIntentRedirect
+            startActivityAsUser(intent, null, null); // $ hasAndroidIntentRedirect
+            startActivityAsCaller(intent, null, false, 0); // $ hasAndroidIntentRedirect
+            startActivityAsUserFromFragment(null, intent, 0, null, null); // $ hasAndroidIntentRedirect
+            startActivityForResult(intent, 0); // $ hasAndroidIntentRedirect
+            startActivityForResult(intent, 0, null); // $ hasAndroidIntentRedirect
+            startActivityForResult(null, intent, 0, null); // $ hasAndroidIntentRedirect
+            startActivityForResultAsUser(intent, null, 0, null, null); // $ hasAndroidIntentRedirect
+            startActivityForResultAsUser(intent, 0, null, null); // $ hasAndroidIntentRedirect
+            startActivityForResultAsUser(intent, 0, null); // $ hasAndroidIntentRedirect
+        }
+        {
+            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
+            startService(intent); // $ hasAndroidIntentRedirect
+            startServiceAsUser(intent, null); // $ hasAndroidIntentRedirect
+        }
+        {
+            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
+            sendBroadcast(intent); // $ hasAndroidIntentRedirect
+            sendBroadcast(intent, null); // $ hasAndroidIntentRedirect
+            sendBroadcast(intent, null, null); // $ hasAndroidIntentRedirect
+            sendBroadcast(intent, null, 0); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUser(intent, null, null, null); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUser(intent, null, null, 0); // $ hasAndroidIntentRedirect
+            sendBroadcastAsUserMultiplePermissions(intent, null, null); // $ hasAndroidIntentRedirect
+            sendStickyBroadcast(intent); // $ hasAndroidIntentRedirect
+            sendStickyBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirect
+            sendStickyBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirect
+            sendStickyOrderedBroadcast(intent, null, null, 0, null, null); // $ hasAndroidIntentRedirect
+            sendStickyOrderedBroadcastAsUser(intent, null, null, null, 0, null, null); // $ hasAndroidIntentRedirect
+        }
+
+    }
+}

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectTest.java

@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.AndroidIntentRedirectQuery
+import TestUtilities.InlineExpectationsTest
+
+class HasAndroidIntentRedirectTest extends InlineExpectationsTest {
+  HasAndroidIntentRedirectTest() { this = "HasAndroidIntentRedirectTest" }
+
+  override string getARelevantTag() { result = "hasAndroidIntentRedirect" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasAndroidIntentRedirect" and
+    exists(DataFlow::Node src, DataFlow::Node sink, IntentRedirectConfiguration conf |
+      conf.hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectTest.ql

@@ -0,0 +1,24 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <application
+        android:icon="@drawable/ic_launcher"
+        android:label="@string/app_name"
+        android:theme="@style/AppTheme" >
+        <activity
+            android:name=".AndroidIntentRedirectTest"
+            android:icon="@drawable/ic_launcher"
+			android:label="@string/app_name">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <activity android:name=".SafeActivity" />
+    </application>
+
+</manifest>

java/ql/test/query-tests/security/CWE-940/AndroidManifest.xml

@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0