Merge pull request #11367 from atorralba/atorralba/java/add-bitwise-implicit-intents

atorralba · web-flow · commit 92ee0aa7ae73 · 2022-11-22T17:08:52.000+01:00
Java: Consider taint through bitwise operations on PendingIntent flags
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
@@ -85,9 +85,11 @@ private class MutablePendingIntentFlowStep extends ImplicitPendingIntentAddition
       // unless it is at least sometimes explicitly marked immutable and never marked mutable.
       // Note: for API level < 31, PendingIntents were mutable by default, whereas since then
       // they are immutable by default.
-      not TaintTracking::localExprTaint(any(ImmutablePendingIntentFlag flag).getAnAccess(), flagArg)
+      not bitwiseLocalTaintStep*(DataFlow::exprNode(any(ImmutablePendingIntentFlag flag)
+              .getAnAccess()), DataFlow::exprNode(flagArg))
       or
-      TaintTracking::localExprTaint(any(MutablePendingIntentFlag flag).getAnAccess(), flagArg)
+      bitwiseLocalTaintStep*(DataFlow::exprNode(any(MutablePendingIntentFlag flag).getAnAccess()),
+        DataFlow::exprNode(flagArg))
     )
   }
 }
@@ -124,3 +126,12 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {
       ]
   }
 }
+
+/**
+ * Holds if taint can flow from `source` to `sink` in one local step,
+ * including bitwise operations.
+ */
+private predicate bitwiseLocalTaintStep(DataFlow::Node source, DataFlow::Node sink) {
+  TaintTracking::localTaintStep(source, sink) or
+  source.asExpr() = sink.asExpr().(BitwiseExpr).(BinaryExpr).getAnOperand()
+}
diff --git a/java/ql/src/change-notes/2022-11-22-bitwise-implicit-intent-flags.md b/java/ql/src/change-notes/2022-11-22-bitwise-implicit-intent-flags.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue in the query `java/android/implicit-pendingintents` by which an implicit Pending Intent marked as immutable was not correctly recognized as such.
diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.java
@@ -156,7 +156,7 @@ public static void testPendingIntentAsAnExtra(Context ctx)
             PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, flag); // Sanitizer
             Intent fwdIntent = new Intent();
             fwdIntent.putExtra("fwdIntent", pi);
-            ctx.startActivity(fwdIntent); // $ SPURIOUS: $ hasImplicitPendingIntent
+            ctx.startActivity(fwdIntent); // Safe
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -85,9 +85,11 @@ private class MutablePendingIntentFlowStep extends ImplicitPendingIntentAddition`
`85`	`85`	`// unless it is at least sometimes explicitly marked immutable and never marked mutable.`
`86`	`86`	`// Note: for API level < 31, PendingIntents were mutable by default, whereas since then`
`87`	`87`	`// they are immutable by default.`
`88`		`- not TaintTracking::localExprTaint(any(ImmutablePendingIntentFlag flag).getAnAccess(), flagArg)`
	`88`	`+ not bitwiseLocalTaintStep*(DataFlow::exprNode(any(ImmutablePendingIntentFlag flag)`
	`89`	`+ .getAnAccess()), DataFlow::exprNode(flagArg))`
`89`	`90`	`or`
`90`		`- TaintTracking::localExprTaint(any(MutablePendingIntentFlag flag).getAnAccess(), flagArg)`
	`91`	`+ bitwiseLocalTaintStep*(DataFlow::exprNode(any(MutablePendingIntentFlag flag).getAnAccess()),`
	`92`	`+ DataFlow::exprNode(flagArg))`
`91`	`93`	`)`
`92`	`94`	`}`
`93`	`95`	`}`
`@@ -124,3 +126,12 @@ private class PendingIntentSentSinkModels extends SinkModelCsv {`
`124`	`126`	`]`
`125`	`127`	`}`
`126`	`128`	`}`
	`129`	`+`
	`130`	`+/**`
	`131`	+ * Holds if taint can flow from `source` to `sink` in one local step,
	`132`	`+ * including bitwise operations.`
	`133`	`+ */`
	`134`	`+private predicate bitwiseLocalTaintStep(DataFlow::Node source, DataFlow::Node sink) {`
	`135`	`+ TaintTracking::localTaintStep(source, sink) or`
	`136`	`+ source.asExpr() = sink.asExpr().(BitwiseExpr).(BinaryExpr).getAnOperand()`
	`137`	`+}`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Fixed an issue in the query `java/android/implicit-pendingintents` by which an implicit Pending Intent marked as immutable was not correctly recognized as such.
Original file line number	Diff line number	Diff line change
`@@ -156,7 +156,7 @@ public static void testPendingIntentAsAnExtra(Context ctx)`
`156`	`156`	`PendingIntent pi = PendingIntent.getActivity(ctx, 0, baseIntent, flag); // Sanitizer`
`157`	`157`	`Intent fwdIntent = new Intent();`
`158`	`158`	`fwdIntent.putExtra("fwdIntent", pi);`
`159`		`- ctx.startActivity(fwdIntent); // $ SPURIOUS: $ hasImplicitPendingIntent`
	`159`	`+ ctx.startActivity(fwdIntent); // Safe`
`160`	`160`	`}`
`161`	`161`	`}`
`162`	`162`