Use AndroidIntentInput source

Author: luchua-bc

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -305,48 +305,22 @@ class ReverseDNSMethod extends Method {
   }
 }
 
-/** Android `Intent` that may have come from a hostile application. */
-class AndroidIntentInput extends DataFlow::Node {
+/** Exported Android `Intent` that may have come from a hostile application. */
+class AndroidIntentInput extends RemoteFlowSource {
   AndroidIntentInput() {
-    exists(MethodAccess ma, AndroidGetIntentMethod m |
-      ma.getMethod().overrides*(m) and
-      this.asExpr() = ma
-    )
-    or
-    exists(Method m, AndroidReceiveIntentMethod rI |
-      m.overrides*(rI) and
-      this.asParameter() = m.getParameter(1)
-    )
-  }
-}
-
-/** Method access to external inputs of `android.content.Intent` or `android.os.BaseBundle` object. */
-class IntentGetExtraMethodAccess extends MethodAccess {
-  IntentGetExtraMethodAccess() {
-    exists(AndroidComponent ac |
-      this.getEnclosingCallable().getDeclaringType() = ac and
-      ac.isExported() and
-      this.getMethod().getName().regexpMatch("get\\w+Extra") and
-      this.getMethod().getDeclaringType() instanceof TypeIntent
-    )
-    or
-    this.getMethod().getName().regexpMatch("get\\w+") and
-    this
-        .getMethod()
-        .getDeclaringType()
-        .getASupertype*()
-        .hasQualifiedName("android.os", "BaseBundle")
-  }
-}
-
-/** Android intent extra source. */
-private class AndroidIntentExtraSource extends RemoteFlowSource {
-  AndroidIntentExtraSource() {
-    exists(AndroidIntentInput inode |
-      this.asExpr() = inode.asExpr() or
-      this.asExpr() = inode.asParameter().getAnAccess()
+    this.getEnclosingCallable().getDeclaringType().(AndroidComponent).isExported() and
+    (
+      exists(MethodAccess ma, AndroidGetIntentMethod m |
+        ma.getMethod().overrides*(m) and
+        this.asExpr() = ma
+      )
+      or
+      exists(Method m, AndroidReceiveIntentMethod rI |
+        m.overrides*(rI) and
+        this.asParameter() = m.getParameter(1)
+      )
     )
   }
 
-  override string getSourceType() { result = "Android intent extra" }
+  override string getSourceType() { result = "Android intent source" }
 }

java/ql/src/semmle/code/java/dataflow/FlowSteps.qll

@@ -141,30 +141,31 @@ private class StringBuilderTaintPreservingCallable extends TaintPreservingCallab
   }
 }
 
-/**
- * Holds if `n1` to `n2` is a dataflow step between the extra getter method and its caller Android `Intent` or `Bundle`.
- */
-private predicate intentExtraStep(DataFlow::ExprNode n1, DataFlow::ExprNode n2) {
-  exists(IntentGetExtraMethodAccess ma |
-    n1.asExpr() = ma.getQualifier() and
-    n2.asExpr() = ma
-  )
+/** Method access to external inputs of `android.os.BaseBundle` object. */
+class GetBundleExtraMethodAccess extends MethodAccess {
+  GetBundleExtraMethodAccess() {
+    this.getMethod().getName().regexpMatch("get\\w+") and
+    this
+        .getMethod()
+        .getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName("android.os", "BaseBundle")
+  }
 }
 
 /**
- * Holds if `n1` to `n2` is a dataflow step from Android `Intent` to its `getExtras` method.
+ * Holds if `n1` to `n2` is a dataflow step between the extra getter method and its caller `Bundle`.
  */
 private predicate bundleExtraStep(DataFlow::ExprNode n1, DataFlow::ExprNode n2) {
-  exists(MethodAccess ma | ma.getMethod().hasName("getExtras") |
+  exists(GetBundleExtraMethodAccess ma |
     n1.asExpr() = ma.getQualifier() and
     n2.asExpr() = ma
   )
 }
 
-/** A set of additional taint steps to consider when taint tracking Android intent extra related data flows. */
+/** Additional taint step to consider when taint tracking Android intent extra related data flows. */
 class AndroidExtraSourceAdditionalTaintStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    intentExtraStep(node1, node2) or
     bundleExtraStep(node1, node2)
   }
 }