Use proper class inheritance

luchua-bc · luchua-bc · commit 2ee9a45e6913 · 2020-10-28T22:05:30.000Z
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -307,36 +307,26 @@ class ReverseDNSMethod extends Method {
 
 /** Android `Intent` that may have come from a hostile application. */
 class AndroidIntentInput extends DataFlow::Node {
+  Type receiverType;
+
   AndroidIntentInput() {
     exists(MethodAccess ma, AndroidGetIntentMethod m |
       ma.getMethod().overrides*(m) and
-      this.asExpr() = ma
+      this.asExpr() = ma and
+      receiverType = ma.getEnclosingCallable().getDeclaringType()
     )
     or
     exists(Method m, AndroidReceiveIntentMethod rI |
       m.overrides*(rI) and
-      this.asParameter() = m.getParameter(1)
+      this.asParameter() = m.getParameter(1) and
+      receiverType = m.getDeclaringType()
     )
   }
 }
 
 /** Exported Android `Intent` that may have come from a hostile application. */
-class ExportedAndroidIntentInput extends RemoteFlowSource {
-  ExportedAndroidIntentInput() {
-    exists(ExportableAndroidComponent exportedType | exportedType.isExported() |
-      exists(MethodAccess ma, AndroidGetIntentMethod m |
-        ma.getMethod().overrides*(m) and
-        this.asExpr() = ma and
-        exportedType = ma.getEnclosingCallable().getDeclaringType()
-      )
-      or
-      exists(Method m, AndroidReceiveIntentMethod rI |
-        m.overrides*(rI) and
-        this.asParameter() = m.getParameter(1) and
-        exportedType = m.getDeclaringType()
-      )
-    )
-  }
+class ExportedAndroidIntentInput extends RemoteFlowSource, AndroidIntentInput {
+  ExportedAndroidIntentInput() { receiverType.(ExportableAndroidComponent).isExported() }
 
-  override string getSourceType() { result = "Android intent source" }
+  override string getSourceType() { result = "Exported Android intent source" }
 }
diff --git a/java/ql/src/semmle/code/java/frameworks/android/Android.qll b/java/ql/src/semmle/code/java/frameworks/android/Android.qll
@@ -31,7 +31,7 @@ class AndroidComponent extends Class {
 }
 
 /**
- * An Android component that is explicitly or implicitly exported.
+ * An Android component that can be explicitly or implicitly exported.
  */
 class ExportableAndroidComponent extends AndroidComponent {
   /** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */
diff --git a/java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity4.java b/java/ql/test/experimental/query-tests/security/CWE-749/UnsafeActivity4.java
@@ -9,7 +9,10 @@
 import android.webkit.WebViewClient;
 
 public class UnsafeActivity4 extends Activity {
-	//Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+	/** 
+	 * Test onCreate with both JavaScript and cross-origin resource access enabled while taking remote user inputs from bundle extras
+     * Note this case of invoking utility method that takes an Activity a then calls `a.getIntent().getStringExtra(...)` is not yet detected thus is beyond what the query is capable of.
+	 */
 	public void onCreate(Bundle savedInstanceState) {
 		super.onCreate(savedInstanceState);
 		setContentView(-1);

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ class AndroidComponent extends Class {`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`/**`
`34`		`- * An Android component that is explicitly or implicitly exported.`
	`34`	`+ * An Android component that can be explicitly or implicitly exported.`
`35`	`35`	`*/`
`36`	`36`	`class ExportableAndroidComponent extends AndroidComponent {`
`37`	`37`	/** Holds if this Android component is configured as `exported` or has intent filters configured without `exported` explicitly disabled in an `AndroidManifest.xml` file. */