Skip to content

Commit 5bebae9

Browse files
jbjjbj
committed
Java: Diff-informed ImproperIntentVerification.ql
1 parent e799bff commit 5bebae9

File tree

1 file changed

+29
-3
lines changed

1 file changed

+29
-3
lines changed

java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,25 @@ private module VerifiedIntentConfig implements DataFlow::ConfigSig {
2525
sink.asExpr() = ma.getQualifier()
2626
)
2727
}
28+
29+
predicate observeDiffInformedIncrementalMode() { any() }
30+
31+
Location getASelectedSourceLocation(DataFlow::Node src) {
32+
exists(AndroidReceiverXmlElement rec, OnReceiveMethod orm, SystemActionName sa |
33+
src.asParameter() = orm.getIntentParameter() and
34+
anySystemReceiver(rec, orm, sa)
35+
|
36+
result = rec.getLocation()
37+
or
38+
result = orm.getLocation()
39+
or
40+
result = sa.getLocation()
41+
)
42+
}
43+
44+
// All sinks are set to have no locations because sinks aren't selected in
45+
// the query. This effectively means that we're filtering on sources only.
46+
Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
2847
}
2948

3049
private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;
@@ -67,13 +86,20 @@ class SystemActionName extends AndroidActionXmlElement {
6786
string getSystemActionName() { result = name }
6887
}
6988

70-
/** Holds if the XML element `rec` declares a receiver `orm` to receive the system action named `sa` that doesn't verify intents it receives. */
71-
predicate unverifiedSystemReceiver(
72-
AndroidReceiverXmlElement rec, UnverifiedOnReceiveMethod orm, SystemActionName sa
89+
private predicate anySystemReceiver(
90+
AndroidReceiverXmlElement rec, OnReceiveMethod orm, SystemActionName sa
7391
) {
7492
exists(Class ormty |
7593
ormty = orm.getDeclaringType() and
7694
rec.getComponentName() = ["." + ormty.getName(), ormty.getQualifiedName()] and
7795
rec.getAnIntentFilterElement().getAnActionElement() = sa
7896
)
7997
}
98+
99+
/** Holds if the XML element `rec` declares a receiver `orm` to receive the system action named `sa` that doesn't verify intents it receives. */
100+
predicate unverifiedSystemReceiver(
101+
AndroidReceiverXmlElement rec, UnverifiedOnReceiveMethod orm, SystemActionName sa
102+
) {
103+
// The type of `orm` is different in these two predicates
104+
anySystemReceiver(rec, orm, sa)
105+
}

0 commit comments

Comments
 (0)