Java: update intent-start sink kind to intent-redirection

Jami Cogswell · Jami Cogswell · commit b23f384a50bd · 2023-05-31T15:49:07.000-04:00
diff --git a/java/ql/lib/ext/android.app.model.yml b/java/ql/lib/ext/android.app.model.yml
@@ -3,14 +3,14 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["android.app", "Activity", True, "bindService", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "bindServiceAsUser", "", "", "Argument[0]", "intent-start", "manual"]
+      - ["android.app", "Activity", True, "bindService", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "bindServiceAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
       - ["android.app", "Activity", True, "setResult", "(int,Intent)", "", "Argument[1]", "pending-intents", "manual"]
-      - ["android.app", "Activity", True, "startActivityAsCaller", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int)", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int,Bundle)", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "startActivityForResult", "(String,Intent,int,Bundle)", "", "Argument[1]", "intent-start", "manual"]
-      - ["android.app", "Activity", True, "startActivityForResultAsUser", "", "", "Argument[0]", "intent-start", "manual"]
+      - ["android.app", "Activity", True, "startActivityAsCaller", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int)", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "startActivityForResult", "(Intent,int,Bundle)", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "startActivityForResult", "(String,Intent,int,Bundle)", "", "Argument[1]", "intent-redirection", "manual"]
+      - ["android.app", "Activity", True, "startActivityForResultAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
       - ["android.app", "AlarmManager", True, "set", "(int,long,PendingIntent)", "", "Argument[2]", "pending-intents", "manual"]
       - ["android.app", "AlarmManager", True, "setAlarmClock", "", "", "Argument[1]", "pending-intents", "manual"]
       - ["android.app", "AlarmManager", True, "setAndAllowWhileIdle", "", "", "Argument[2]", "pending-intents", "manual"]
diff --git a/java/ql/lib/ext/android.content.model.yml b/java/ql/lib/ext/android.content.model.yml
@@ -47,22 +47,22 @@ extensions:
       - ["android.content", "ContentResolver", True, "query", "(Uri,String[],String,String[],String)", "", "Argument[2]", "sql-injection", "manual"]
       - ["android.content", "ContentResolver", True, "query", "(Uri,String[],String,String[],String,CancellationSignal)", "", "Argument[2]", "sql-injection", "manual"]
       - ["android.content", "ContentResolver", True, "update", "(Uri,ContentValues,String,String[])", "", "Argument[2]", "sql-injection", "manual"]
-      - ["android.content", "Context", True, "sendBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendBroadcastWithMultiplePermissions", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendStickyBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendStickyBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendStickyOrderedBroadcast", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "sendStickyOrderedBroadcastAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivities", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivity", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivityAsUser", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivityFromChild", "", "", "Argument[1]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivityFromFragment", "", "", "Argument[1]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startActivityIfNeeded", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startForegroundService", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startService", "", "", "Argument[0]", "intent-start", "manual"]
-      - ["android.content", "Context", True, "startServiceAsUser", "", "", "Argument[0]", "intent-start", "manual"]
+      - ["android.content", "Context", True, "sendBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendBroadcastWithMultiplePermissions", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendStickyBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendStickyBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendStickyOrderedBroadcast", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "sendStickyOrderedBroadcastAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivities", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivity", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivityAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivityFromChild", "", "", "Argument[1]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivityFromFragment", "", "", "Argument[1]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startActivityIfNeeded", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startForegroundService", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startService", "", "", "Argument[0]", "intent-redirection", "manual"]
+      - ["android.content", "Context", True, "startServiceAsUser", "", "", "Argument[0]", "intent-redirection", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -276,8 +276,8 @@ module ModelValidation {
         [
           "open-url", "jndi-injection", "ldap-injection", "sql-injection", "jdbc-url",
           "log-injection", "mvel-injection", "xpath-injection", "groovy-injection", "xss",
-          "ognl-injection", "intent-start", "pending-intents", "url-redirection", "create-file",
-          "read-file", "write-file", "set-hostname-verifier", "header-splitting",
+          "ognl-injection", "intent-redirection", "pending-intents", "url-redirection",
+          "create-file", "read-file", "write-file", "set-hostname-verifier", "header-splitting",
           "information-leak", "xslt-injection", "jexl-injection", "bean-validation",
           "template-injection", "fragment-injection", "command-injection"
         ] and
diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
@@ -30,7 +30,7 @@ class IntentRedirectionAdditionalTaintStep extends Unit {
 
 /** Default sink for Intent redirection vulnerabilities. */
 private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
-  DefaultIntentRedirectionSink() { sinkNode(this, "intent-start") }
+  DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll
@@ -54,7 +54,8 @@ private class IntentCreationSource extends ImplicitPendingIntentSource {
 
 private class SendPendingIntent extends ImplicitPendingIntentSink {
   SendPendingIntent() {
-    sinkNode(this, "intent-start") and
+    // intent redirection sinks are method calls that start Android components
+    sinkNode(this, "intent-redirection") and
     // implicit intents can't be started as services since API 21
     not exists(MethodAccess ma, Method m |
       ma.getMethod() = m and

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ class IntentRedirectionAdditionalTaintStep extends Unit {`
`30`	`30`
`31`	`31`	`/** Default sink for Intent redirection vulnerabilities. */`
`32`	`32`	`private class DefaultIntentRedirectionSink extends IntentRedirectionSink {`
`33`		`- DefaultIntentRedirectionSink() { sinkNode(this, "intent-start") }`
	`33`	`+ DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") }`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`/**`