Skip to content

Commit d5df8dd

Browse files
committed
Allow MaD sanitizers for java/android/implicit-pendingintents
1 parent 8662d73 commit d5df8dd

File tree

2 files changed

+15
-1
lines changed

2 files changed

+15
-1
lines changed

java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,9 @@ abstract class ImplicitPendingIntentSource extends ApiSourceNode { }
3333
/** A sink that sends an implicit and mutable `PendingIntent` to a third party. */
3434
abstract class ImplicitPendingIntentSink extends DataFlow::Node { }
3535

36+
/** A sanitizer for sending an implicit and mutable `PendingIntent` to a third party. */
37+
abstract class ImplicitPendingIntentSanitizer extends DataFlow::Node { }
38+
3639
/**
3740
* A unit class for adding additional taint steps.
3841
*
@@ -76,6 +79,15 @@ private class SendPendingIntent extends ImplicitPendingIntentSink {
7679
}
7780
}
7881

82+
private class ExplicitPendingIntentSanitizer extends ImplicitPendingIntentSanitizer instanceof ExplicitIntentSanitizer
83+
{ }
84+
85+
private class ExternalIntentRedirectionSanitizer extends ExplicitIntentSanitizer {
86+
ExternalIntentRedirectionSanitizer() {
87+
barrierNode(this, ["intent-redirection", "pending-intents"])
88+
}
89+
}
90+
7991
private class MutablePendingIntentFlowStep extends ImplicitPendingIntentAdditionalTaintStep {
8092
override predicate mutablePendingIntentCreation(DataFlow::Node node1, DataFlow::Node node2) {
8193
exists(PendingIntentCreation pic, Argument flagArg |

java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,9 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
2323
sink instanceof ImplicitPendingIntentSink and state instanceof MutablePendingIntent
2424
}
2525

26-
predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof ExplicitIntentSanitizer }
26+
predicate isBarrier(DataFlow::Node sanitizer) {
27+
sanitizer instanceof ImplicitPendingIntentSanitizer
28+
}
2729

2830
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
2931
any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, node2)

0 commit comments

Comments
 (0)