Add guard sanitizer for component name checks

atorralba · atorralba · commit 9a537f9c232b · 2021-10-18T11:08:14.000+02:00
diff --git a/java/ql/src/semmle/code/java/security/AndroidIntentRedirection.qll b/java/ql/src/semmle/code/java/security/AndroidIntentRedirection.qll
@@ -1,6 +1,7 @@
 /** Provides classes to reason about Android Intent redirect vulnerabilities. */
 
 import java
+private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.frameworks.android.Intent
@@ -31,3 +32,18 @@ class IntentRedirectionAdditionalTaintStep extends Unit {
 private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
   DefaultIntentRedirectionSink() { sinkNode(this, "intent-start") }
 }
+
+/**
+ * A default sanitizer for nodes dominated by calls to `ComponentName.getPackageName`
+ * or `ComponentName.getClassName`. These are used to check whether the origin or destination
+ * components are trusted.
+ */
+private class DefaultIntentRedirectionSanitizer extends IntentRedirectionSanitizer {
+  DefaultIntentRedirectionSanitizer() {
+    exists(MethodAccess ma, Method m |
+      ma.getMethod() = m and
+      m.hasQualifiedName("android.content", "ComponentName", ["getPackageName", "getClassName"]) and
+      ma.getBasicBlock().(ConditionBlock).controls(this.asExpr().getBasicBlock(), true)
+    )
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java b/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
@@ -8,45 +8,49 @@
 public class AndroidIntentRedirectionTest extends Activity {
 
     public void onCreate(Bundle savedInstanceState) {
-        // @formatter:off
-        {
-            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
-            startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirection
-            startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirection
+        Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
+
+        if (intent.getComponent().getPackageName().equals("something")) {
+            startActivity(intent); // Safe - sanitized
+        } else {
             startActivity(intent); // $ hasAndroidIntentRedirection
-            startActivity(intent, null); // $ hasAndroidIntentRedirection
-            startActivityAsUser(intent, null); // $ hasAndroidIntentRedirection
-            startActivityAsUser(intent, null, null); // $ hasAndroidIntentRedirection
-            startActivityAsCaller(intent, null, false, 0); // $ hasAndroidIntentRedirection
-            startActivityForResult(intent, 0); // $ hasAndroidIntentRedirection
-            startActivityForResult(intent, 0, null); // $ hasAndroidIntentRedirection
-            startActivityForResult(null, intent, 0, null); // $ hasAndroidIntentRedirection
-            startActivityForResultAsUser(intent, null, 0, null, null); // $ hasAndroidIntentRedirection
-            startActivityForResultAsUser(intent, 0, null, null); // $ hasAndroidIntentRedirection
-            startActivityForResultAsUser(intent, 0, null); // $ hasAndroidIntentRedirection
-        }
-        {
-            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
-            startService(intent); // $ hasAndroidIntentRedirection
-            startServiceAsUser(intent, null); // $ hasAndroidIntentRedirection
         }
-        {
-            Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
-            sendBroadcast(intent); // $ hasAndroidIntentRedirection
-            sendBroadcast(intent, null); // $ hasAndroidIntentRedirection
-            sendBroadcast(intent, null, null); // $ hasAndroidIntentRedirection
-            sendBroadcast(intent, null, 0); // $ hasAndroidIntentRedirection
-            sendBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection
-            sendBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection
-            sendBroadcastAsUser(intent, null, null, null); // $ hasAndroidIntentRedirection
-            sendBroadcastAsUser(intent, null, null, 0); // $ hasAndroidIntentRedirection
-            sendBroadcastWithMultiplePermissions(intent, null); // $ hasAndroidIntentRedirection
-            sendStickyBroadcast(intent); // $ hasAndroidIntentRedirection
-            sendStickyBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection
-            sendStickyBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection
-            sendStickyOrderedBroadcast(intent, null, null, 0, null, null); // $ hasAndroidIntentRedirection
-            sendStickyOrderedBroadcastAsUser(intent, null, null, null, 0, null, null); // $ hasAndroidIntentRedirection
+        if (intent.getComponent().getClassName().equals("something")) {
+            startActivity(intent); // Safe - sanitized
+        } else {
+            startActivity(intent); // $ hasAndroidIntentRedirection
         }
+
+        // @formatter:off
+        startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirection
+        startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirection
+        startActivity(intent); // $ hasAndroidIntentRedirection
+        startActivity(intent, null); // $ hasAndroidIntentRedirection
+        startActivityAsUser(intent, null); // $ hasAndroidIntentRedirection
+        startActivityAsUser(intent, null, null); // $ hasAndroidIntentRedirection
+        startActivityAsCaller(intent, null, false, 0); // $ hasAndroidIntentRedirection
+        startActivityForResult(intent, 0); // $ hasAndroidIntentRedirection
+        startActivityForResult(intent, 0, null); // $ hasAndroidIntentRedirection
+        startActivityForResult(null, intent, 0, null); // $ hasAndroidIntentRedirection
+        startActivityForResultAsUser(intent, null, 0, null, null); // $ hasAndroidIntentRedirection
+        startActivityForResultAsUser(intent, 0, null, null); // $ hasAndroidIntentRedirection
+        startActivityForResultAsUser(intent, 0, null); // $ hasAndroidIntentRedirection
+        startService(intent); // $ hasAndroidIntentRedirection
+        startServiceAsUser(intent, null); // $ hasAndroidIntentRedirection
+        sendBroadcast(intent); // $ hasAndroidIntentRedirection
+        sendBroadcast(intent, null); // $ hasAndroidIntentRedirection
+        sendBroadcast(intent, null, null); // $ hasAndroidIntentRedirection
+        sendBroadcast(intent, null, 0); // $ hasAndroidIntentRedirection
+        sendBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection
+        sendBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection
+        sendBroadcastAsUser(intent, null, null, null); // $ hasAndroidIntentRedirection
+        sendBroadcastAsUser(intent, null, null, 0); // $ hasAndroidIntentRedirection
+        sendBroadcastWithMultiplePermissions(intent, null); // $ hasAndroidIntentRedirection
+        sendStickyBroadcast(intent); // $ hasAndroidIntentRedirection
+        sendStickyBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection
+        sendStickyBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection
+        sendStickyOrderedBroadcast(intent, null, null, 0, null, null); // $ hasAndroidIntentRedirection
+        sendStickyOrderedBroadcastAsUser(intent, null, null, null, 0, null, null); // $ hasAndroidIntentRedirection
         // @formatter:on
     }
 }
