Allow MaD sanitizers for java/android/implicit-pendingintents

Author: owen-mc

java/ql/lib/semmle/code/java/security/ImplicitPendingIntents.qll

@@ -33,6 +33,9 @@ abstract class ImplicitPendingIntentSource extends ApiSourceNode { }
 /** A sink that sends an implicit and mutable `PendingIntent` to a third party. */
 abstract class ImplicitPendingIntentSink extends DataFlow::Node { }
 
+/** A sanitizer for sending an implicit and mutable `PendingIntent` to a third party. */
+abstract class ImplicitPendingIntentSanitizer extends DataFlow::Node { }
+
 /**
  * A unit class for adding additional taint steps.
  *
@@ -76,6 +79,15 @@ private class SendPendingIntent extends ImplicitPendingIntentSink {
   }
 }
 
+private class ExplicitPendingIntentSanitizer extends ImplicitPendingIntentSanitizer instanceof ExplicitIntentSanitizer
+{ }
+
+private class ExternalIntentRedirectionSanitizer extends ExplicitIntentSanitizer {
+  ExternalIntentRedirectionSanitizer() {
+    barrierNode(this, ["intent-redirection", "pending-intents"])
+  }
+}
+
 private class MutablePendingIntentFlowStep extends ImplicitPendingIntentAdditionalTaintStep {
   override predicate mutablePendingIntentCreation(DataFlow::Node node1, DataFlow::Node node2) {
     exists(PendingIntentCreation pic, Argument flagArg |

java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll

@@ -23,7 +23,9 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
     sink instanceof ImplicitPendingIntentSink and state instanceof MutablePendingIntent
   }
 
-  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof ExplicitIntentSanitizer }
+  predicate isBarrier(DataFlow::Node sanitizer) {
+    sanitizer instanceof ImplicitPendingIntentSanitizer
+  }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, node2)