github
diff --git a/‎java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
Lines changed: 1 addition & 0 deletions b/‎java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
Lines changed: 1 addition & 0 deletions
diff --git a/‎java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
Lines changed: 37 additions & 0 deletions b/‎java/ql/lib/semmle/code/java/frameworks/android/Intent.qll
Lines changed: 37 additions & 0 deletions
diff --git a/‎java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
Lines changed: 3 additions & 0 deletions b/‎java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
Lines changed: 3 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
Lines changed: 16 additions & 19 deletions b/‎java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
Lines changed: 16 additions & 19 deletions
diff --git a/‎java/ql/test/stubs/google-android-9.0.0/android/app/Activity.java
Lines changed: 1 addition & 6 deletions b/‎java/ql/test/stubs/google-android-9.0.0/android/app/Activity.java
Lines changed: 1 addition & 6 deletions
diff --git a/‎java/ql/test/stubs/google-android-9.0.0/android/app/Fragment.java
Lines changed: 4 additions & 0 deletions b/‎java/ql/test/stubs/google-android-9.0.0/android/app/Fragment.java
Lines changed: 4 additions & 0 deletions
diff --git a/‎java/ql/test/stubs/google-android-9.0.0/android/content/Context.java
Lines changed: 3 additions & 0 deletions b/‎java/ql/test/stubs/google-android-9.0.0/android/content/Context.java
Lines changed: 3 additions & 0 deletions
diff --git a/‎java/ql/test/stubs/google-android-9.0.0/android/content/ContextWrapper.java
Lines changed: 3 additions & 0 deletions b/‎java/ql/test/stubs/google-android-9.0.0/android/content/ContextWrapper.java
Lines changed: 3 additions & 0 deletions
@@ -104,6 +104,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.spring.SpringBeans
   private import semmle.code.java.frameworks.spring.SpringWebMultipart
   private import semmle.code.java.frameworks.spring.SpringWebUtil
+  private import semmle.code.java.security.AndroidIntentRedirection
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.GroovyInjection
 
@@ -10,6 +10,11 @@ class TypeIntent extends Class {
   TypeIntent() { hasQualifiedName("android.content", "Intent") }
 }
 
+/** The class `android.content.ComponentName`. */
+class TypeComponentName extends Class {
+  TypeComponentName() { this.hasQualifiedName("android.content", "ComponentName") }
+}
+
 /**
  * The class `android.app.Activity`.
  */
@@ -236,3 +241,35 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
       ]
   }
 }
+
+private class IntentComponentTaintSteps extends SummaryModelCsv {
+  override predicate row(string s) {
+    s =
+      [
+        "android.content;Intent;true;Intent;(Intent);;Argument[0];Argument[-1];taint",
+        "android.content;Intent;true;Intent;(Context,Class);;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;Intent;(String,Uri,Context,Class);;Argument[3];Argument[-1];taint",
+        "android.content;Intent;true;setPackage;;;Argument[0];Argument[-1];taint",
+        "android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;taint",
+        "android.content;Intent;true;setClass;;;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;setClass;;;Argument[-1];ReturnValue;taint",
+        "android.content;Intent;true;setClassName;(Context,String);;Argument[1];Argument[-1];taint",
+        "android.content;Intent;true;setClassName;(String,String);;Argument[0..1];Argument[-1];taint",
+        "android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;taint",
+        "android.content;Intent;true;setComponent;;;Argument[0];Argument[-1];taint",
+        "android.content;Intent;true;setComponent;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;ComponentName;(String,String);;Argument[0..1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Context,String);;Argument[1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Context,Class);;Argument[1];Argument[-1];taint",
+        "android.content;ComponentName;false;ComponentName;(Parcel);;Argument[0];Argument[-1];taint",
+        "android.content;ComponentName;false;createRelative;(String,String);;Argument[0..1];ReturnValue;taint",
+        "android.content;ComponentName;false;createRelative;(Context,String);;Argument[1];ReturnValue;taint",
+        "android.content;ComponentName;false;flattenToShortString;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;flattenToString;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getClassName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getPackageName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;getShortClassName;;;Argument[-1];ReturnValue;taint",
+        "android.content;ComponentName;false;unflattenFromString;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
@@ -32,6 +32,8 @@ private class DefaultIntentRedirectionSinkModel extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
+        "android.app;Activity;true;bindService;;;Argument[0];intent-start",
+        "android.app;Activity;true;bindServiceAsUser;;;Argument[0];intent-start",
         "android.app;Activity;true;startActivityAsCaller;;;Argument[0];intent-start",
         "android.app;Activity;true;startActivityForResult;(Intent,int);;Argument[0];intent-start",
         "android.app;Activity;true;startActivityForResult;(Intent,int,Bundle);;Argument[0];intent-start",
@@ -43,6 +45,7 @@ private class DefaultIntentRedirectionSinkModel extends SinkModelCsv {
         "android.content;Context;true;startActivityFromChild;;;Argument[1];intent-start",
         "android.content;Context;true;startActivityFromFragment;;;Argument[1];intent-start",
         "android.content;Context;true;startActivityIfNeeded;;;Argument[0];intent-start",
+        "android.content;Context;true;startForegroundService;;;Argument[0];intent-start",
         "android.content;Context;true;startService;;;Argument[0];intent-start",
         "android.content;Context;true;startServiceAsUser;;;Argument[0];intent-start",
         "android.content;Context;true;sendBroadcast;;;Argument[0];intent-start",
 
@@ -17,28 +17,25 @@ public void onCreate(Bundle savedInstanceState) {
         startActivity(intent); // $ hasAndroidIntentRedirection
         startActivity(intent, null); // $ hasAndroidIntentRedirection
         startActivityAsUser(intent, null); // $ hasAndroidIntentRedirection
-        startActivityAsUser(intent, null, null); // $ hasAndroidIntentRedirection
         startActivityAsCaller(intent, null, false, 0); // $ hasAndroidIntentRedirection
         startActivityForResult(intent, 0); // $ hasAndroidIntentRedirection
         startActivityForResult(intent, 0, null); // $ hasAndroidIntentRedirection
         startActivityForResult(null, intent, 0, null); // $ hasAndroidIntentRedirection
         startActivityForResultAsUser(intent, null, 0, null, null); // $ hasAndroidIntentRedirection
         startActivityForResultAsUser(intent, 0, null, null); // $ hasAndroidIntentRedirection
         startActivityForResultAsUser(intent, 0, null); // $ hasAndroidIntentRedirection
+        bindService(intent, null, 0);
+        bindServiceAsUser(intent, null, 0, null);
         startService(intent); // $ hasAndroidIntentRedirection
         startServiceAsUser(intent, null); // $ hasAndroidIntentRedirection
+        startForegroundService(intent); // $ hasAndroidIntentRedirection
         sendBroadcast(intent); // $ hasAndroidIntentRedirection
         sendBroadcast(intent, null); // $ hasAndroidIntentRedirection
-        sendBroadcast(intent, null, null); // $ hasAndroidIntentRedirection
-        sendBroadcast(intent, null, 0); // $ hasAndroidIntentRedirection
         sendBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection
         sendBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection
-        sendBroadcastAsUser(intent, null, null, null); // $ hasAndroidIntentRedirection
-        sendBroadcastAsUser(intent, null, null, 0); // $ hasAndroidIntentRedirection
         sendBroadcastWithMultiplePermissions(intent, null); // $ hasAndroidIntentRedirection
         sendStickyBroadcast(intent); // $ hasAndroidIntentRedirection
         sendStickyBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection
-        sendStickyBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection
         sendStickyOrderedBroadcast(intent, null, null, 0, null, null); // $ hasAndroidIntentRedirection
         sendStickyOrderedBroadcastAsUser(intent, null, null, null, 0, null, null); // $ hasAndroidIntentRedirection
         // @formatter:on
@@ -63,78 +60,78 @@ public void onCreate(Bundle savedInstanceState) {
             }
             {
                 Intent fwdIntent = new Intent();
-                fwdIntent.setClassName((Context) null, (String) intent.getExtra("className"));
+                fwdIntent.setClassName((Context) null, intent.getStringExtra("className"));
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
-                fwdIntent.setClassName((String) intent.getExtra("packageName"), null);
+                fwdIntent.setClassName(intent.getStringExtra("packageName"), null);
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
-                fwdIntent.setClassName((String) intent.getExtra("packageName"),
-                        (String) intent.getExtra("className"));
+                fwdIntent.setClassName(intent.getStringExtra("packageName"),
+                        intent.getStringExtra("className"));
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
-                fwdIntent.setClass(null, Class.forName((String) intent.getExtra("className")));
+                fwdIntent.setClass(null, Class.forName(intent.getStringExtra("className")));
                 // needs taint step for Class.forName
                 startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
-                fwdIntent.setPackage((String) intent.getExtra("packageName"));
+                fwdIntent.setPackage(intent.getStringExtra("packageName"));
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
                 ComponentName component =
-                        new ComponentName((String) intent.getExtra("packageName"), null);
+                        new ComponentName(intent.getStringExtra("packageName"), null);
                 fwdIntent.setComponent(component);
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
                 ComponentName component =
-                        new ComponentName("", (String) intent.getExtra("className"));
+                        new ComponentName("", intent.getStringExtra("className"));
                 fwdIntent.setComponent(component);
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
                 ComponentName component =
-                        new ComponentName((Context) null, (String) intent.getExtra("className"));
+                        new ComponentName((Context) null, intent.getStringExtra("className"));
                 fwdIntent.setComponent(component);
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
                 ComponentName component = new ComponentName((Context) null,
-                        Class.forName((String) intent.getExtra("className")));
+                        Class.forName(intent.getStringExtra("className")));
                 fwdIntent.setComponent(component);
                 // needs taint step for Class.forName
                 startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
                 ComponentName component =
-                        ComponentName.createRelative("", (String) intent.getExtra("className"));
+                        ComponentName.createRelative("", intent.getStringExtra("className"));
                 fwdIntent.setComponent(component);
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
                 ComponentName component =
-                        ComponentName.createRelative((String) intent.getExtra("packageName"), "");
+                        ComponentName.createRelative(intent.getStringExtra("packageName"), "");
                 fwdIntent.setComponent(component);
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
             {
                 Intent fwdIntent = new Intent();
                 ComponentName component = ComponentName.createRelative((Context) null,
-                        (String) intent.getExtra("className"));
+                        intent.getStringExtra("className"));
                 fwdIntent.setComponent(component);
                 startActivity(fwdIntent); // $ hasAndroidIntentRedirection
             }
Original file line number	Diff line number	Diff line change
`@@ -17,28 +17,25 @@ public void onCreate(Bundle savedInstanceState) {`
`17`	`17`	`startActivity(intent); // $ hasAndroidIntentRedirection`
`18`	`18`	`startActivity(intent, null); // $ hasAndroidIntentRedirection`
`19`	`19`	`startActivityAsUser(intent, null); // $ hasAndroidIntentRedirection`
`20`		`- startActivityAsUser(intent, null, null); // $ hasAndroidIntentRedirection`
`21`	`20`	`startActivityAsCaller(intent, null, false, 0); // $ hasAndroidIntentRedirection`
`22`	`21`	`startActivityForResult(intent, 0); // $ hasAndroidIntentRedirection`
`23`	`22`	`startActivityForResult(intent, 0, null); // $ hasAndroidIntentRedirection`
`24`	`23`	`startActivityForResult(null, intent, 0, null); // $ hasAndroidIntentRedirection`
`25`	`24`	`startActivityForResultAsUser(intent, null, 0, null, null); // $ hasAndroidIntentRedirection`
`26`	`25`	`startActivityForResultAsUser(intent, 0, null, null); // $ hasAndroidIntentRedirection`
`27`	`26`	`startActivityForResultAsUser(intent, 0, null); // $ hasAndroidIntentRedirection`
	`27`	`+ bindService(intent, null, 0);`
	`28`	`+ bindServiceAsUser(intent, null, 0, null);`
`28`	`29`	`startService(intent); // $ hasAndroidIntentRedirection`
`29`	`30`	`startServiceAsUser(intent, null); // $ hasAndroidIntentRedirection`
	`31`	`+ startForegroundService(intent); // $ hasAndroidIntentRedirection`
`30`	`32`	`sendBroadcast(intent); // $ hasAndroidIntentRedirection`
`31`	`33`	`sendBroadcast(intent, null); // $ hasAndroidIntentRedirection`
`32`		`- sendBroadcast(intent, null, null); // $ hasAndroidIntentRedirection`
`33`		`- sendBroadcast(intent, null, 0); // $ hasAndroidIntentRedirection`
`34`	`34`	`sendBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection`
`35`	`35`	`sendBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection`
`36`		`- sendBroadcastAsUser(intent, null, null, null); // $ hasAndroidIntentRedirection`
`37`		`- sendBroadcastAsUser(intent, null, null, 0); // $ hasAndroidIntentRedirection`
`38`	`36`	`sendBroadcastWithMultiplePermissions(intent, null); // $ hasAndroidIntentRedirection`
`39`	`37`	`sendStickyBroadcast(intent); // $ hasAndroidIntentRedirection`
`40`	`38`	`sendStickyBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection`
`41`		`- sendStickyBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection`
`42`	`39`	`sendStickyOrderedBroadcast(intent, null, null, 0, null, null); // $ hasAndroidIntentRedirection`
`43`	`40`	`sendStickyOrderedBroadcastAsUser(intent, null, null, null, 0, null, null); // $ hasAndroidIntentRedirection`
`44`	`41`	`// @formatter:on`
`@@ -63,78 +60,78 @@ public void onCreate(Bundle savedInstanceState) {`
`63`	`60`	`}`
`64`	`61`	`{`
`65`	`62`	`Intent fwdIntent = new Intent();`
`66`		`- fwdIntent.setClassName((Context) null, (String) intent.getExtra("className"));`
	`63`	`+ fwdIntent.setClassName((Context) null, intent.getStringExtra("className"));`
`67`	`64`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`68`	`65`	`}`
`69`	`66`	`{`
`70`	`67`	`Intent fwdIntent = new Intent();`
`71`		`- fwdIntent.setClassName((String) intent.getExtra("packageName"), null);`
	`68`	`+ fwdIntent.setClassName(intent.getStringExtra("packageName"), null);`
`72`	`69`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`73`	`70`	`}`
`74`	`71`	`{`
`75`	`72`	`Intent fwdIntent = new Intent();`
`76`		`- fwdIntent.setClassName((String) intent.getExtra("packageName"),`
`77`		`- (String) intent.getExtra("className"));`
	`73`	`+ fwdIntent.setClassName(intent.getStringExtra("packageName"),`
	`74`	`+ intent.getStringExtra("className"));`
`78`	`75`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`79`	`76`	`}`
`80`	`77`	`{`
`81`	`78`	`Intent fwdIntent = new Intent();`
`82`		`- fwdIntent.setClass(null, Class.forName((String) intent.getExtra("className")));`
	`79`	`+ fwdIntent.setClass(null, Class.forName(intent.getStringExtra("className")));`
`83`	`80`	`// needs taint step for Class.forName`
`84`	`81`	`startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection`
`85`	`82`	`}`
`86`	`83`	`{`
`87`	`84`	`Intent fwdIntent = new Intent();`
`88`		`- fwdIntent.setPackage((String) intent.getExtra("packageName"));`
	`85`	`+ fwdIntent.setPackage(intent.getStringExtra("packageName"));`
`89`	`86`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`90`	`87`	`}`
`91`	`88`	`{`
`92`	`89`	`Intent fwdIntent = new Intent();`
`93`	`90`	`ComponentName component =`
`94`		`- new ComponentName((String) intent.getExtra("packageName"), null);`
	`91`	`+ new ComponentName(intent.getStringExtra("packageName"), null);`
`95`	`92`	`fwdIntent.setComponent(component);`
`96`	`93`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`97`	`94`	`}`
`98`	`95`	`{`
`99`	`96`	`Intent fwdIntent = new Intent();`
`100`	`97`	`ComponentName component =`
`101`		`- new ComponentName("", (String) intent.getExtra("className"));`
	`98`	`+ new ComponentName("", intent.getStringExtra("className"));`
`102`	`99`	`fwdIntent.setComponent(component);`
`103`	`100`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`104`	`101`	`}`
`105`	`102`	`{`
`106`	`103`	`Intent fwdIntent = new Intent();`
`107`	`104`	`ComponentName component =`
`108`		`- new ComponentName((Context) null, (String) intent.getExtra("className"));`
	`105`	`+ new ComponentName((Context) null, intent.getStringExtra("className"));`
`109`	`106`	`fwdIntent.setComponent(component);`
`110`	`107`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`111`	`108`	`}`
`112`	`109`	`{`
`113`	`110`	`Intent fwdIntent = new Intent();`
`114`	`111`	`ComponentName component = new ComponentName((Context) null,`
`115`		`- Class.forName((String) intent.getExtra("className")));`
	`112`	`+ Class.forName(intent.getStringExtra("className")));`
`116`	`113`	`fwdIntent.setComponent(component);`
`117`	`114`	`// needs taint step for Class.forName`
`118`	`115`	`startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection`
`119`	`116`	`}`
`120`	`117`	`{`
`121`	`118`	`Intent fwdIntent = new Intent();`
`122`	`119`	`ComponentName component =`
`123`		`- ComponentName.createRelative("", (String) intent.getExtra("className"));`
	`120`	`+ ComponentName.createRelative("", intent.getStringExtra("className"));`
`124`	`121`	`fwdIntent.setComponent(component);`
`125`	`122`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`126`	`123`	`}`
`127`	`124`	`{`
`128`	`125`	`Intent fwdIntent = new Intent();`
`129`	`126`	`ComponentName component =`
`130`		`- ComponentName.createRelative((String) intent.getExtra("packageName"), "");`
	`127`	`+ ComponentName.createRelative(intent.getStringExtra("packageName"), "");`
`131`	`128`	`fwdIntent.setComponent(component);`
`132`	`129`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`133`	`130`	`}`
`134`	`131`	`{`
`135`	`132`	`Intent fwdIntent = new Intent();`
`136`	`133`	`ComponentName component = ComponentName.createRelative((Context) null,`
`137`		`- (String) intent.getExtra("className"));`
	`134`	`+ intent.getStringExtra("className"));`
`138`	`135`	`fwdIntent.setComponent(component);`
`139`	`136`	`startActivity(fwdIntent); // $ hasAndroidIntentRedirection`
`140`	`137`	`}`