github · aschackmull · Dec 15, 2023 · Dec 11, 2023 · Dec 11, 2023 · Dec 11, 2023
@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -10,7 +10,7 @@ private import DataFlowImplSpecific::Private
 import DataFlowImplSpecific::Public
 private import DataFlowImpl
 import DataFlowImplCommonPublic
-import FlowStateString
+deprecated import FlowStateString
 private import codeql.util.Unit
 
 /**

@@ -6,16 +6,44 @@ private import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.frameworks.android.Intent
 private import semmle.code.java.frameworks.android.PendingIntent
 
+private newtype TPendingIntentState =
+  TMutablePendingIntent() or
+  TNoState()
+
+/** A flow state for an implicit `PendingIntent` flow. */
+class PendingIntentState extends TPendingIntentState {
+  /** Gets a textual representation of this element. */
+  abstract string toString();
+}
+
+/** A flow state indicating that a mutable `PendingIntent` has been created. */
+class MutablePendingIntent extends PendingIntentState, TMutablePendingIntent {
+  override string toString() { result = "MutablePendingIntent" }
+}
+
+/** The initial flow state for an implicit `PendingIntent` flow. */
+class NoState extends PendingIntentState, TNoState {
+  override string toString() { result = "NoState" }
+}
+
 /** A source for an implicit `PendingIntent` flow. */
 abstract class ImplicitPendingIntentSource extends DataFlow::Node {
-  /** Holds if this source has the specified `state`. */
-  predicate hasState(DataFlow::FlowState state) { state = "" }
+  /**
+   * DEPRECATED: Open-ended flow state is not intended to be part of the extension points.
+   *
+   * Holds if this source has the specified `state`.
+   */
+  deprecated predicate hasState(DataFlow::FlowState state) { state = "" }
 }
 
 /** A sink that sends an implicit and mutable `PendingIntent` to a third party. */
 abstract class ImplicitPendingIntentSink extends DataFlow::Node {
-  /** Holds if this sink has the specified `state`. */
-  predicate hasState(DataFlow::FlowState state) { state = "" }
+  /**
+   * DEPRECATED: Open-ended flow state is not intended to be part of the extension points.
+   *
+   * Holds if this sink has the specified `state`.
+   */
+  deprecated predicate hasState(DataFlow::FlowState state) { state = "" }
 }
 
 /**
@@ -32,11 +60,19 @@ class ImplicitPendingIntentAdditionalTaintStep extends Unit {
   predicate step(DataFlow::Node node1, DataFlow::Node node2) { none() }
 
   /**
+   * Holds if the step from `node1` to `node2` creates a mutable `PendingIntent`.
+   */
+  predicate mutablePendingIntentCreation(DataFlow::Node node1, DataFlow::Node node2) { none() }
+
+  /**
+   * DEPRECATED: Open-ended flow state is not intended to be part of the extension points.
+   * Use `mutablePendingIntentCreation` instead.
+   *
    * Holds if the step from `node1` to `node2` should be considered a taint
    * step for flows related to the use of implicit `PendingIntent`s. This step is only applicable
    * in `state1` and updates the flow state to `state2`.
    */
-  predicate step(
+  deprecated predicate step(
     DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
     DataFlow::FlowState state2
   ) {
@@ -66,17 +102,10 @@ private class SendPendingIntent extends ImplicitPendingIntentSink {
     or
     sinkNode(this, "pending-intents")
   }
-
-  override predicate hasState(DataFlow::FlowState state) { state = "MutablePendingIntent" }
 }
 
 private class MutablePendingIntentFlowStep extends ImplicitPendingIntentAdditionalTaintStep {
-  override predicate step(
-    DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
-    DataFlow::FlowState state2
-  ) {
-    state1 = "" and
-    state2 = "MutablePendingIntent" and
+  override predicate mutablePendingIntentCreation(DataFlow::Node node1, DataFlow::Node node2) {
     exists(PendingIntentCreation pic, Argument flagArg |
       node1.asExpr() = pic.getIntentArg() and
       node2.asExpr() = pic and

@@ -60,14 +60,14 @@ deprecated class ImplicitPendingIntentStartConf extends TaintTracking::Configura
  * being wrapped in another implicit `Intent` that gets started.
  */
 module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowState;
+  class FlowState = PendingIntentState;
 
   predicate isSource(DataFlow::Node source, FlowState state) {
-    source.(ImplicitPendingIntentSource).hasState(state)
+    source instanceof ImplicitPendingIntentSource and state instanceof NoState
   }
 
   predicate isSink(DataFlow::Node sink, FlowState state) {
-    sink.(ImplicitPendingIntentSink).hasState(state)
+    sink instanceof ImplicitPendingIntentSink and state instanceof MutablePendingIntent
   }
 
   predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof ExplicitIntentSanitizer }
@@ -79,7 +79,9 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
   predicate isAdditionalFlowStep(
     DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
   ) {
-    any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, state1, node2, state2)
+    any(ImplicitPendingIntentAdditionalTaintStep c).mutablePendingIntentCreation(node1, node2) and
+    state1 instanceof NoState and
+    state2 instanceof MutablePendingIntent
   }
 
   predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {