Java: convert IntentUriPermissionManipulation test to .qlref

d10c · d10c · commit b736e3733c1f · 2025-06-24T16:41:58.000+02:00
diff --git a/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.expected b/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.expected
@@ -0,0 +1,43 @@
+#select
+| MainActivity.java:13:34:13:39 | intent | MainActivity.java:12:29:12:39 | getIntent(...) : Intent | MainActivity.java:13:34:13:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:12:29:12:39 | getIntent(...) | user-provided value |
+| MainActivity.java:17:34:17:44 | extraIntent | MainActivity.java:16:43:16:53 | getIntent(...) : Intent | MainActivity.java:17:34:17:44 | extraIntent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:16:43:16:53 | getIntent(...) | user-provided value |
+| MainActivity.java:33:34:33:39 | intent | MainActivity.java:30:29:30:39 | getIntent(...) : Intent | MainActivity.java:33:34:33:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:30:29:30:39 | getIntent(...) | user-provided value |
+| MainActivity.java:46:34:46:39 | intent | MainActivity.java:42:29:42:39 | getIntent(...) : Intent | MainActivity.java:46:34:46:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:42:29:42:39 | getIntent(...) | user-provided value |
+| MainActivity.java:52:34:52:39 | intent | MainActivity.java:49:29:49:39 | getIntent(...) : Intent | MainActivity.java:52:34:52:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:49:29:49:39 | getIntent(...) | user-provided value |
+| MainActivity.java:60:38:60:43 | intent | MainActivity.java:55:29:55:39 | getIntent(...) : Intent | MainActivity.java:60:38:60:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:55:29:55:39 | getIntent(...) | user-provided value |
+| MainActivity.java:71:38:71:43 | intent | MainActivity.java:64:29:64:39 | getIntent(...) : Intent | MainActivity.java:71:38:71:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:64:29:64:39 | getIntent(...) | user-provided value |
+| MainActivity.java:81:38:81:43 | intent | MainActivity.java:75:29:75:39 | getIntent(...) : Intent | MainActivity.java:81:38:81:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:75:29:75:39 | getIntent(...) | user-provided value |
+edges
+| MainActivity.java:12:29:12:39 | getIntent(...) : Intent | MainActivity.java:13:34:13:39 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:16:34:16:87 | (...)... : Intent | MainActivity.java:17:34:17:44 | extraIntent | provenance | Sink:MaD:1 |
+| MainActivity.java:16:43:16:53 | getIntent(...) : Intent | MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | provenance | MaD:2 |
+| MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | MainActivity.java:16:34:16:87 | (...)... : Intent | provenance |  |
+| MainActivity.java:30:29:30:39 | getIntent(...) : Intent | MainActivity.java:33:34:33:39 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:42:29:42:39 | getIntent(...) : Intent | MainActivity.java:46:34:46:39 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:49:29:49:39 | getIntent(...) : Intent | MainActivity.java:52:34:52:39 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:55:29:55:39 | getIntent(...) : Intent | MainActivity.java:60:38:60:43 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:64:29:64:39 | getIntent(...) : Intent | MainActivity.java:71:38:71:43 | intent | provenance | Sink:MaD:1 |
+| MainActivity.java:75:29:75:39 | getIntent(...) : Intent | MainActivity.java:81:38:81:43 | intent | provenance | Sink:MaD:1 |
+models
+| 1 | Sink: android.app; Activity; true; setResult; (int,Intent); ; Argument[1]; pending-intents; manual |
+| 2 | Summary: android.content; Intent; true; getParcelableExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
+nodes
+| MainActivity.java:12:29:12:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:13:34:13:39 | intent | semmle.label | intent |
+| MainActivity.java:16:34:16:87 | (...)... : Intent | semmle.label | (...)... : Intent |
+| MainActivity.java:16:43:16:53 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
+| MainActivity.java:17:34:17:44 | extraIntent | semmle.label | extraIntent |
+| MainActivity.java:30:29:30:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:33:34:33:39 | intent | semmle.label | intent |
+| MainActivity.java:42:29:42:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:46:34:46:39 | intent | semmle.label | intent |
+| MainActivity.java:49:29:49:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:52:34:52:39 | intent | semmle.label | intent |
+| MainActivity.java:55:29:55:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:60:38:60:43 | intent | semmle.label | intent |
+| MainActivity.java:64:29:64:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:71:38:71:43 | intent | semmle.label | intent |
+| MainActivity.java:75:29:75:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
+| MainActivity.java:81:38:81:43 | intent | semmle.label | intent |
+subpaths
diff --git a/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.ql b/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.ql
diff --git a/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.qlref b/java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.qlref
@@ -0,0 +1,4 @@
+query: Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/java/ql/test/query-tests/security/CWE-266/MainActivity.java b/java/ql/test/query-tests/security/CWE-266/MainActivity.java
@@ -9,12 +9,12 @@ public class MainActivity extends Activity {
 
     public void onCreate(Bundle savedInstance) {
         {
-            Intent intent = getIntent();
-            setResult(RESULT_OK, intent); // $ hasTaintFlow
+            Intent intent = getIntent(); // $ Source
+            setResult(RESULT_OK, intent); // $ Alert
         }
         {
-            Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent");
-            setResult(RESULT_OK, extraIntent); // $ hasTaintFlow
+            Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent"); // $ Source
+            setResult(RESULT_OK, extraIntent); // $ Alert
         }
         {
             Intent intent = getIntent();
@@ -27,10 +27,10 @@ public void onCreate(Bundle savedInstance) {
             setResult(RESULT_OK, intent); // Safe
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             intent.setFlags( // Not properly sanitized
                     Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_ACTIVITY_CLEAR_TOP);
-            setResult(RESULT_OK, intent); // $ hasTaintFlow
+            setResult(RESULT_OK, intent); // $ Alert
         }
         {
             Intent intent = getIntent();
@@ -39,46 +39,46 @@ public void onCreate(Bundle savedInstance) {
             setResult(RESULT_OK, intent); // Safe
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             // Combined, the following two calls are a sanitizer
             intent.removeFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
             intent.removeFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
-            setResult(RESULT_OK, intent); // $ SPURIOUS: $ hasTaintFlow
+            setResult(RESULT_OK, intent); // $ SPURIOUS: $ Alert
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             intent.removeFlags( // Not properly sanitized
                     Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_ACTIVITY_CLEAR_TOP);
-            setResult(RESULT_OK, intent); // $ hasTaintFlow
+            setResult(RESULT_OK, intent); // $ Alert
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             // Good check
             if (intent.getData().equals(Uri.parse("content://safe/uri"))) {
                 setResult(RESULT_OK, intent); // Safe
             } else {
-                setResult(RESULT_OK, intent); // $ hasTaintFlow
+                setResult(RESULT_OK, intent); // $ Alert
             }
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             int flags = intent.getFlags();
             // Good check
             if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0
                     && (flags & Intent.FLAG_GRANT_WRITE_URI_PERMISSION) == 0) {
                 setResult(RESULT_OK, intent); // Safe
             } else {
-                setResult(RESULT_OK, intent); // $ hasTaintFlow
+                setResult(RESULT_OK, intent); // $ Alert
             }
         }
         {
-            Intent intent = getIntent();
+            Intent intent = getIntent(); // $ Source
             int flags = intent.getFlags();
             // Insufficient check
             if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0) {
-                setResult(RESULT_OK, intent); // $ MISSING: $ hasTaintFlow
+                setResult(RESULT_OK, intent); // $ MISSING: $ Alert
             } else {
-                setResult(RESULT_OK, intent); // $ hasTaintFlow
+                setResult(RESULT_OK, intent); // $ Alert
             }
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -9,12 +9,12 @@ public class MainActivity extends Activity {`
`9`	`9`
`10`	`10`	`public void onCreate(Bundle savedInstance) {`
`11`	`11`	`{`
`12`		`- Intent intent = getIntent();`
`13`		`- setResult(RESULT_OK, intent); // $ hasTaintFlow`
	`12`	`+ Intent intent = getIntent(); // $ Source`
	`13`	`+ setResult(RESULT_OK, intent); // $ Alert`
`14`	`14`	`}`
`15`	`15`	`{`
`16`		`- Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent");`
`17`		`- setResult(RESULT_OK, extraIntent); // $ hasTaintFlow`
	`16`	`+ Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent"); // $ Source`
	`17`	`+ setResult(RESULT_OK, extraIntent); // $ Alert`
`18`	`18`	`}`
`19`	`19`	`{`
`20`	`20`	`Intent intent = getIntent();`
`@@ -27,10 +27,10 @@ public void onCreate(Bundle savedInstance) {`
`27`	`27`	`setResult(RESULT_OK, intent); // Safe`
`28`	`28`	`}`
`29`	`29`	`{`
`30`		`- Intent intent = getIntent();`
	`30`	`+ Intent intent = getIntent(); // $ Source`
`31`	`31`	`intent.setFlags( // Not properly sanitized`
`32`	`32`	`Intent.FLAG_GRANT_WRITE_URI_PERMISSION \| Intent.FLAG_ACTIVITY_CLEAR_TOP);`
`33`		`- setResult(RESULT_OK, intent); // $ hasTaintFlow`
	`33`	`+ setResult(RESULT_OK, intent); // $ Alert`
`34`	`34`	`}`
`35`	`35`	`{`
`36`	`36`	`Intent intent = getIntent();`
`@@ -39,46 +39,46 @@ public void onCreate(Bundle savedInstance) {`
`39`	`39`	`setResult(RESULT_OK, intent); // Safe`
`40`	`40`	`}`
`41`	`41`	`{`
`42`		`- Intent intent = getIntent();`
	`42`	`+ Intent intent = getIntent(); // $ Source`
`43`	`43`	`// Combined, the following two calls are a sanitizer`
`44`	`44`	`intent.removeFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);`
`45`	`45`	`intent.removeFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);`
`46`		`- setResult(RESULT_OK, intent); // $ SPURIOUS: $ hasTaintFlow`
	`46`	`+ setResult(RESULT_OK, intent); // $ SPURIOUS: $ Alert`
`47`	`47`	`}`
`48`	`48`	`{`
`49`		`- Intent intent = getIntent();`
	`49`	`+ Intent intent = getIntent(); // $ Source`
`50`	`50`	`intent.removeFlags( // Not properly sanitized`
`51`	`51`	`Intent.FLAG_GRANT_WRITE_URI_PERMISSION \| Intent.FLAG_ACTIVITY_CLEAR_TOP);`
`52`		`- setResult(RESULT_OK, intent); // $ hasTaintFlow`
	`52`	`+ setResult(RESULT_OK, intent); // $ Alert`
`53`	`53`	`}`
`54`	`54`	`{`
`55`		`- Intent intent = getIntent();`
	`55`	`+ Intent intent = getIntent(); // $ Source`
`56`	`56`	`// Good check`
`57`	`57`	`if (intent.getData().equals(Uri.parse("content://safe/uri"))) {`
`58`	`58`	`setResult(RESULT_OK, intent); // Safe`
`59`	`59`	`} else {`
`60`		`- setResult(RESULT_OK, intent); // $ hasTaintFlow`
	`60`	`+ setResult(RESULT_OK, intent); // $ Alert`
`61`	`61`	`}`
`62`	`62`	`}`
`63`	`63`	`{`
`64`		`- Intent intent = getIntent();`
	`64`	`+ Intent intent = getIntent(); // $ Source`
`65`	`65`	`int flags = intent.getFlags();`
`66`	`66`	`// Good check`
`67`	`67`	`if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0`
`68`	`68`	`&& (flags & Intent.FLAG_GRANT_WRITE_URI_PERMISSION) == 0) {`
`69`	`69`	`setResult(RESULT_OK, intent); // Safe`
`70`	`70`	`} else {`
`71`		`- setResult(RESULT_OK, intent); // $ hasTaintFlow`
	`71`	`+ setResult(RESULT_OK, intent); // $ Alert`
`72`	`72`	`}`
`73`	`73`	`}`
`74`	`74`	`{`
`75`		`- Intent intent = getIntent();`
	`75`	`+ Intent intent = getIntent(); // $ Source`
`76`	`76`	`int flags = intent.getFlags();`
`77`	`77`	`// Insufficient check`
`78`	`78`	`if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0) {`
`79`		`- setResult(RESULT_OK, intent); // $ MISSING: $ hasTaintFlow`
	`79`	`+ setResult(RESULT_OK, intent); // $ MISSING: $ Alert`
`80`	`80`	`} else {`
`81`		`- setResult(RESULT_OK, intent); // $ hasTaintFlow`
	`81`	`+ setResult(RESULT_OK, intent); // $ Alert`
`82`	`82`	`}`
`83`	`83`	`}`
`84`	`84`	`}`