Add test and check for another edge case

atorralba · atorralba · commit e7983fb26972 · 2021-10-18T11:10:23.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll
@@ -55,6 +55,7 @@ private class SameIntentBeingRelaunchedConfiguration extends DataFlow3::Configur
     exists(ClassInstanceExpr cie |
       cie.getConstructedType() instanceof TypeIntent and
       node1.asExpr() = cie.getArgument(0) and
+      node1.asExpr().getType() instanceof TypeIntent and
       node2.asExpr() = cie
     )
   }
diff --git a/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java b/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java
@@ -146,6 +146,11 @@ public void onCreate(Bundle savedInstanceState) {
                 anotherIntent.setComponent(cp);
                 startActivity(originalIntent); // Safe - not a tainted Intent
             }
+            {
+                Intent originalIntent = getIntent();
+                Intent anotherIntent = new Intent(originalIntent);
+                startActivity(anotherIntent); // Safe - copy constructor from original Intent
+            }
             {
                 Intent originalIntent = getIntent();
                 Intent fwdIntent = (Intent) originalIntent.getParcelableExtra("forward_intent");

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ private class SameIntentBeingRelaunchedConfiguration extends DataFlow3::Configur`
`55`	`55`	`exists(ClassInstanceExpr cie \|`
`56`	`56`	`cie.getConstructedType() instanceof TypeIntent and`
`57`	`57`	`node1.asExpr() = cie.getArgument(0) and`
	`58`	`+ node1.asExpr().getType() instanceof TypeIntent and`
`58`	`59`	`node2.asExpr() = cie`
`59`	`60`	`)`
`60`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,11 @@ public void onCreate(Bundle savedInstanceState) {`
`146`	`146`	`anotherIntent.setComponent(cp);`
`147`	`147`	`startActivity(originalIntent); // Safe - not a tainted Intent`
`148`	`148`	`}`
	`149`	`+ {`
	`150`	`+ Intent originalIntent = getIntent();`
	`151`	`+ Intent anotherIntent = new Intent(originalIntent);`
	`152`	`+ startActivity(anotherIntent); // Safe - copy constructor from original Intent`
	`153`	`+ }`
`149`	`154`	`{`
`150`	`155`	`Intent originalIntent = getIntent();`
`151`	`156`	`Intent fwdIntent = (Intent) originalIntent.getParcelableExtra("forward_intent");`