Remove Url#parse as a source

egregius313 · egregius313 · commit d3d712fbff18 · 2023-03-08T12:12:10.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-094/ArbitraryAPKInstallation.ql b/java/ql/src/Security/CWE/CWE-094/ArbitraryAPKInstallation.ql
@@ -71,7 +71,7 @@ class SetDataSink extends DataFlow::ExprNode {
 /** A method that generates a URI. */
 class UriConstructorMethod extends Method {
   UriConstructorMethod() {
-    this.hasQualifiedName("android.net", "Uri", ["parse", "fromFile", "fromParts"]) or
+    this.hasQualifiedName("android.net", "Uri", [/*"parse",*/ "fromFile", "fromParts"]) or
     this.hasQualifiedName("androidx.core.content", "FileProvider", "getUriForFile")
   }
 }
@@ -110,6 +110,13 @@ class ApkConfiguration extends DataFlow::Configuration {
   }
 }
 
+class SetActionMethod extends Method {
+  SetActionMethod() {
+    this.hasName("setAction") and
+    this.getDeclaringType() instanceof TypeIntent
+  }
+}
+
 private class InstallPackageActionConfiguration extends TaintTracking3::Configuration {
   InstallPackageActionConfiguration() { this = "InstallPackageActionConfiguration" }
 
@@ -123,10 +130,19 @@ private class InstallPackageActionConfiguration extends TaintTracking3::Configur
   ) {
     state1 instanceof DataFlow::FlowStateEmpty and
     state2 = "hasPackageInstallAction" and
-    exists(ConstructorCall cc |
-      cc.getConstructedType() instanceof TypeIntent and
-      node1.asExpr() = cc.getArgument(0) and
-      node2.asExpr() = cc
+    (
+      exists(ConstructorCall cc |
+        cc.getConstructedType() instanceof TypeIntent and
+        node1.asExpr() = cc.getArgument(0) and
+        node1.asExpr().getType() instanceof TypeString and
+        node2.asExpr() = cc
+      )
+      or
+      exists(MethodAccess ma |
+        ma.getMethod() instanceof SetActionMethod and
+        node1.asExpr() = ma.getArgument(0) and
+        node2.asExpr() = ma.getQualifier()
+      )
     )
   }
 
diff --git a/java/ql/test/query-tests/security/CWE-094/APKInstallation.expected b/java/ql/test/query-tests/security/CWE-094/APKInstallation.expected
@@ -1,18 +1,16 @@
 edges
 nodes
 | APKInstallation.java:14:31:14:58 | fromFile(...) | semmle.label | fromFile(...) |
-| APKInstallation.java:21:31:21:44 | parse(...) | semmle.label | parse(...) |
-| APKInstallation.java:29:24:29:38 | parse(...) | semmle.label | parse(...) |
 | APKInstallation.java:36:24:36:51 | fromFile(...) | semmle.label | fromFile(...) |
 | APKInstallation.java:43:31:43:48 | fromFile(...) | semmle.label | fromFile(...) |
 | APKInstallation.java:50:24:50:41 | fromFile(...) | semmle.label | fromFile(...) |
 | APKInstallation.java:57:24:57:41 | fromFile(...) | semmle.label | fromFile(...) |
+| APKInstallation.java:70:24:70:41 | fromFile(...) | semmle.label | fromFile(...) |
 subpaths
 #select
 | APKInstallation.java:14:31:14:58 | fromFile(...) | APKInstallation.java:14:31:14:58 | fromFile(...) | APKInstallation.java:14:31:14:58 | fromFile(...) | Arbitrary Android APK installation. |
-| APKInstallation.java:21:31:21:44 | parse(...) | APKInstallation.java:21:31:21:44 | parse(...) | APKInstallation.java:21:31:21:44 | parse(...) | Arbitrary Android APK installation. |
-| APKInstallation.java:29:24:29:38 | parse(...) | APKInstallation.java:29:24:29:38 | parse(...) | APKInstallation.java:29:24:29:38 | parse(...) | Arbitrary Android APK installation. |
 | APKInstallation.java:36:24:36:51 | fromFile(...) | APKInstallation.java:36:24:36:51 | fromFile(...) | APKInstallation.java:36:24:36:51 | fromFile(...) | Arbitrary Android APK installation. |
 | APKInstallation.java:43:31:43:48 | fromFile(...) | APKInstallation.java:43:31:43:48 | fromFile(...) | APKInstallation.java:43:31:43:48 | fromFile(...) | Arbitrary Android APK installation. |
 | APKInstallation.java:50:24:50:41 | fromFile(...) | APKInstallation.java:50:24:50:41 | fromFile(...) | APKInstallation.java:50:24:50:41 | fromFile(...) | Arbitrary Android APK installation. |
 | APKInstallation.java:57:24:57:41 | fromFile(...) | APKInstallation.java:57:24:57:41 | fromFile(...) | APKInstallation.java:57:24:57:41 | fromFile(...) | Arbitrary Android APK installation. |
+| APKInstallation.java:70:24:70:41 | fromFile(...) | APKInstallation.java:70:24:70:41 | fromFile(...) | APKInstallation.java:70:24:70:41 | fromFile(...) | Arbitrary Android APK installation. |
diff --git a/java/ql/test/query-tests/security/CWE-094/APKInstallation.java b/java/ql/test/query-tests/security/CWE-094/APKInstallation.java
@@ -57,4 +57,19 @@ public void installAPK6(String path) {
         intent.setData(Uri.fromFile(file));
         startActivity(intent);
     }
+
+    public void openWebsite() {
+        Intent intent = new Intent(Intent.ACTION_VIEW);
+        intent.setData(Uri.parse("http://www.example.com"));
+        startActivity(intent);
+    }
+
+    public void otherIntent(File file) {
+        Intent intent = new Intent(this, OtherActivity.class);
+        intent.setAction(Intent.ACTION_VIEW);
+        intent.setData(Uri.fromFile(file));
+    }
+}
+
+class OtherActivity extends Activity {
 }
