Refine the query to check intents coming from outside only

luchua-bc · smowton · commit 3c5c8494b13a · 2020-10-23T11:58:16.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -342,9 +342,23 @@ private class AndroidIntentExtraSource extends RemoteFlowSource {
   AndroidIntentExtraSource() {
     exists(MethodAccess ma |
       ma instanceof IntentGetExtraMethodAccess and
-      (
-        this.asExpr().(VarAccess).getVariable().getAnAssignedValue() = ma or
-        ma.getQualifier() = this.asExpr()
+      this.asExpr() = ma and
+      exists(AndroidIntentInput inode |
+        (
+          ma.getQualifier() = inode.asExpr() or // extra from intent
+          ma.getQualifier() = inode.asParameter().getAnAccess()
+        )
+        or
+        exists(
+          MethodAccess ema // extra from extras bundle of intent
+        |
+          ema.getMethod().hasName("getExtras") and
+          ma.getQualifier() = ema and
+          (
+            ema.getQualifier() = inode.asExpr() or
+            ema.getQualifier() = inode.asParameter().getAnAccess()
+          )
+        )
       )
     )
   }
