github
diff --git a/‎java/ql/lib/change-notes/2023-03-22-deprecate-webviewdubuggingenabledquery.md
Lines changed: 4 additions & 0 deletions b/‎java/ql/lib/change-notes/2023-03-22-deprecate-webviewdubuggingenabledquery.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll
Lines changed: 7 additions & 7 deletions b/‎java/ql/lib/semmle/code/java/security/AndroidCertificatePinningQuery.qll
Lines changed: 7 additions & 7 deletions
diff --git a/‎java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll
Lines changed: 34 additions & 16 deletions b/‎java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll
Lines changed: 34 additions & 16 deletions
diff --git a/‎java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Lines changed: 6 additions & 6 deletions b/‎java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
Lines changed: 6 additions & 6 deletions
diff --git a/‎java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll
Lines changed: 8 additions & 8 deletions b/‎java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll
Lines changed: 8 additions & 8 deletions
diff --git a/‎java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll
Lines changed: 19 additions & 1 deletion b/‎java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll
Lines changed: 19 additions & 1 deletion
diff --git a/‎java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll
Lines changed: 70 additions & 0 deletions b/‎java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll
Lines changed: 70 additions & 0 deletions
diff --git a/‎java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll
Lines changed: 8 additions & 38 deletions b/‎java/ql/lib/semmle/code/java/security/WebviewDubuggingEnabledQuery.qll
Lines changed: 8 additions & 38 deletions
diff --git a/‎java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
Lines changed: 4 additions & 4 deletions b/‎java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
Lines changed: 4 additions & 4 deletions
@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The `WebViewDubuggingQuery` library has been renamed to `WebViewDebuggingQuery` to fix the typo in the file name. `WebViewDubuggingQuery` is now deprecated. 
@@ -106,29 +106,29 @@ private class MissingPinningSink extends DataFlow::Node {
 }
 
 /** Configuration for finding uses of non trusted URLs. */
-private class UntrustedUrlConfig extends TaintTracking::Configuration {
-  UntrustedUrlConfig() { this = "UntrustedUrlConfig" }
-
-  override predicate isSource(DataFlow::Node node) {
+private module UntrustedUrlConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
     trustedDomain(_) and
     exists(string lit | lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() |
       lit.matches("%://%") and // it's a URL
       not exists(string dom | trustedDomain(dom) and lit.matches("%" + dom + "%"))
     )
   }
 
-  override predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }
+  predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }
 }
 
+private module UntrustedUrlFlow = TaintTracking::Global<UntrustedUrlConfig>;
+
 /** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
 predicate missingPinning(DataFlow::Node node, string domain) {
   isAndroid() and
   node instanceof MissingPinningSink and
   (
     not trustedDomain(_) and domain = ""
     or
-    exists(UntrustedUrlConfig conf, DataFlow::Node src |
-      conf.hasFlow(src, node) and
+    exists(DataFlow::Node src |
+      UntrustedUrlFlow::flow(src, node) and
       domain = getDomain(src.asExpr())
     )
   )
 
@@ -8,9 +8,11 @@ import semmle.code.java.dataflow.TaintTracking3
 import semmle.code.java.security.AndroidIntentRedirection
 
 /**
+ * DEPRECATED: Use `IntentRedirectionFlow` instead.
+ *
  * A taint tracking configuration for tainted Intents being used to start Android components.
  */
-class IntentRedirectionConfiguration extends TaintTracking::Configuration {
+deprecated class IntentRedirectionConfiguration extends TaintTracking::Configuration {
   IntentRedirectionConfiguration() { this = "IntentRedirectionConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -26,31 +28,45 @@ class IntentRedirectionConfiguration extends TaintTracking::Configuration {
   }
 }
 
+/** A taint tracking configuration for tainted Intents being used to start Android components. */
+module IntentRedirectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof IntentRedirectionSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+/** Tracks the flow of tainted Intents being used to start Android components. */
+module IntentRedirectionFlow = TaintTracking::Global<IntentRedirectionConfig>;
+
 /**
  * A sanitizer for sinks that receive the original incoming Intent,
  * since its component cannot be arbitrarily set.
  */
 private class OriginalIntentSanitizer extends IntentRedirectionSanitizer {
-  OriginalIntentSanitizer() { any(SameIntentBeingRelaunchedConfiguration c).hasFlowTo(this) }
+  OriginalIntentSanitizer() { SameIntentBeingRelaunchedFlow::flowTo(this) }
 }
 
 /**
  * Data flow configuration used to discard incoming Intents
  * flowing directly to sinks that start Android components.
  */
-private class SameIntentBeingRelaunchedConfiguration extends DataFlow2::Configuration {
-  SameIntentBeingRelaunchedConfiguration() { this = "SameIntentBeingRelaunchedConfiguration" }
+private module SameIntentBeingRelaunchedConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof IntentRedirectionSink }
 
-  override predicate isBarrier(DataFlow::Node barrier) {
+  predicate isBarrier(DataFlow::Node barrier) {
     // Don't discard the Intent if its original component is tainted
     barrier instanceof IntentWithTaintedComponent
   }
 
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     // Intents being built with the copy constructor from the original Intent are discarded too
     exists(ClassInstanceExpr cie |
       cie.getConstructedType() instanceof TypeIntent and
@@ -61,29 +77,31 @@ private class SameIntentBeingRelaunchedConfiguration extends DataFlow2::Configur
   }
 }
 
+private module SameIntentBeingRelaunchedFlow = DataFlow::Global<SameIntentBeingRelaunchedConfig>;
+
 /** An `Intent` with a tainted component. */
 private class IntentWithTaintedComponent extends DataFlow::Node {
   IntentWithTaintedComponent() {
-    exists(IntentSetComponent setExpr, TaintedIntentComponentConf conf |
+    exists(IntentSetComponent setExpr |
       setExpr.getQualifier() = this.asExpr() and
-      conf.hasFlowTo(DataFlow::exprNode(setExpr.getSink()))
+      TaintedIntentComponentFlow::flowTo(DataFlow::exprNode(setExpr.getSink()))
     )
   }
 }
 
 /**
  * A taint tracking configuration for tainted data flowing to an `Intent`'s component.
  */
-private class TaintedIntentComponentConf extends TaintTracking3::Configuration {
-  TaintedIntentComponentConf() { this = "TaintedIntentComponentConf" }
+private module TaintedIntentComponentConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     any(IntentSetComponent setComponent).getSink() = sink.asExpr()
   }
 }
 
+private module TaintedIntentComponentFlow = TaintTracking::Global<TaintedIntentComponentConfig>;
+
 /** A call to a method that changes the component of an `Intent`. */
 private class IntentSetComponent extends MethodAccess {
   int sinkArg;
 
@@ -14,25 +14,25 @@ private class OnReceiveMethod extends Method {
 }
 
 /** A configuration to detect whether the `action` of an `Intent` is checked. */
-private class VerifiedIntentConfig extends DataFlow::Configuration {
-  VerifiedIntentConfig() { this = "VerifiedIntentConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
+private module VerifiedIntentConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
     src.asParameter() = any(OnReceiveMethod orm).getIntentParameter()
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     exists(MethodAccess ma |
       ma.getMethod().hasQualifiedName("android.content", "Intent", "getAction") and
       sink.asExpr() = ma.getQualifier()
     )
   }
 }
 
+private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;
+
 /** An `onReceive` method that doesn't verify the action of the intent it receives. */
 private class UnverifiedOnReceiveMethod extends OnReceiveMethod {
   UnverifiedOnReceiveMethod() {
-    not any(VerifiedIntentConfig c).hasFlow(DataFlow::parameterNode(this.getIntentParameter()), _)
+    not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _)
   }
 }
 
 
@@ -91,23 +91,23 @@ private predicate inputTypeFieldNotCached(Field f) {
 }
 
 /** Configuration that finds uses of `setInputType` for non cached fields. */
-private class GoodInputTypeConf extends DataFlow::Configuration {
-  GoodInputTypeConf() { this = "GoodInputTypeConf" }
-
-  override predicate isSource(DataFlow::Node node) {
+private module GoodInputTypeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
     inputTypeFieldNotCached(node.asExpr().(FieldAccess).getField())
   }
 
-  override predicate isSink(DataFlow::Node node) { node.asExpr() = setInputTypeForId(_) }
+  predicate isSink(DataFlow::Node node) { node.asExpr() = setInputTypeForId(_) }
 
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(OrBitwiseExpr bitOr |
       node1.asExpr() = bitOr.getAChildExpr() and
       node2.asExpr() = bitOr
     )
   }
 }
 
+private module GoodInputTypeFlow = DataFlow::Global<GoodInputTypeConfig>;
+
 /** Gets a regex indicating that an input field may contain sensitive data. */
 private string getInputSensitiveInfoRegex() {
   result =
@@ -130,8 +130,8 @@ AndroidEditableXmlElement getASensitiveCachedInput() {
   result.getId().regexpMatch(getInputSensitiveInfoRegex()) and
   (
     not inputTypeNotCached(result.getInputType()) and
-    not exists(GoodInputTypeConf conf, DataFlow::Node sink |
-      conf.hasFlowTo(sink) and
+    not exists(DataFlow::Node sink |
+      GoodInputTypeFlow::flowTo(sink) and
       sink.asExpr() = setInputTypeForId(result.getId())
     )
   )
 
@@ -7,9 +7,11 @@ import semmle.code.java.security.RequestForgery
 import semmle.code.java.security.UnsafeAndroidAccess
 
 /**
+ * DEPRECATED: Use `FetchUntrustedResourceFlow` instead.
+ *
  * A taint configuration tracking flow from untrusted inputs to a resource fetching call.
  */
-class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
+deprecated class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
   FetchUntrustedResourceConfiguration() { this = "FetchUntrustedResourceConfiguration" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -20,3 +22,19 @@ class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
     sanitizer instanceof RequestForgerySanitizer
   }
 }
+
+/**
+ * A taint configuration tracking flow from untrusted inputs to a resource fetching call.
+ */
+module FetchUntrustedResourceConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof RequestForgerySanitizer }
+}
+
+/**
+ * Detects taint flow from untrusted inputs to a resource fetching call.
+ */
+module FetchUntrustedResourceFlow = TaintTracking::Global<FetchUntrustedResourceConfig>;
@@ -0,0 +1,70 @@
+/** Definitions for the Android Webview Debugging Enabled query */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.controlflow.Guards
+import semmle.code.java.security.SecurityTests
+
+/** Holds if `ex` looks like a check that this is a debug build. */
+private predicate isDebugCheck(Expr ex) {
+  exists(Expr subex, string debug |
+    debug.toLowerCase().matches(["%debug%", "%test%"]) and
+    subex.getParent*() = ex
+  |
+    subex.(VarAccess).getVariable().getName() = debug
+    or
+    subex.(MethodAccess).getMethod().hasName("getProperty") and
+    subex.(MethodAccess).getAnArgument().(CompileTimeConstantExpr).getStringValue() = debug
+  )
+}
+
+/**
+ * DEPRECATED: Use `WebviewDebugEnabledFlow` instead.
+ *
+ * A configuration to find instances of `setWebContentDebuggingEnabled` called with `true` values.
+ */
+deprecated class WebviewDebugEnabledConfig extends DataFlow::Configuration {
+  WebviewDebugEnabledConfig() { this = "WebviewDebugEnabledConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node.asExpr().(BooleanLiteral).getBooleanValue() = true
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(MethodAccess ma |
+      ma.getMethod().hasQualifiedName("android.webkit", "WebView", "setWebContentsDebuggingEnabled") and
+      node.asExpr() = ma.getArgument(0)
+    )
+  }
+
+  override predicate isBarrier(DataFlow::Node node) {
+    exists(Guard debug | isDebugCheck(debug) and debug.controls(node.asExpr().getBasicBlock(), _))
+    or
+    node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass
+  }
+}
+
+/** A configuration to find instances of `setWebContentDebuggingEnabled` called with `true` values. */
+module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    node.asExpr().(BooleanLiteral).getBooleanValue() = true
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(MethodAccess ma |
+      ma.getMethod().hasQualifiedName("android.webkit", "WebView", "setWebContentsDebuggingEnabled") and
+      node.asExpr() = ma.getArgument(0)
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    exists(Guard debug | isDebugCheck(debug) and debug.controls(node.asExpr().getBasicBlock(), _))
+    or
+    node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass
+  }
+}
+
+/**
+ * Tracks instances of `setWebContentDebuggingEnabled` with `true` values.
+ */
+module WebviewDebugEnabledFlow = DataFlow::Global<WebviewDebugEnabledConfig>;
@@ -1,41 +1,11 @@
-/** Definitions for the Android Webview Debugging Enabled query */
+/**
+ * DEPRECATED: Use `semmle.code.java.security.WebviewDebuggingEnabledQuery` instead.
+ *
+ * Definitions for the Android Webview Debugging Enabled query
+ */
 
 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.controlflow.Guards
-import semmle.code.java.security.SecurityTests
+private import semmle.code.java.security.WebviewDebuggingEnabledQuery as WebviewDebuggingEnabledQuery
 
-/** Holds if `ex` looks like a check that this is a debug build. */
-private predicate isDebugCheck(Expr ex) {
-  exists(Expr subex, string debug |
-    debug.toLowerCase().matches(["%debug%", "%test%"]) and
-    subex.getParent*() = ex
-  |
-    subex.(VarAccess).getVariable().getName() = debug
-    or
-    subex.(MethodAccess).getMethod().hasName("getProperty") and
-    subex.(MethodAccess).getAnArgument().(CompileTimeConstantExpr).getStringValue() = debug
-  )
-}
-
-/** A configuration to find instances of `setWebContentDebuggingEnabled` called with `true` values. */
-class WebviewDebugEnabledConfig extends DataFlow::Configuration {
-  WebviewDebugEnabledConfig() { this = "WebviewDebugEnabledConfig" }
-
-  override predicate isSource(DataFlow::Node node) {
-    node.asExpr().(BooleanLiteral).getBooleanValue() = true
-  }
-
-  override predicate isSink(DataFlow::Node node) {
-    exists(MethodAccess ma |
-      ma.getMethod().hasQualifiedName("android.webkit", "WebView", "setWebContentsDebuggingEnabled") and
-      node.asExpr() = ma.getArgument(0)
-    )
-  }
-
-  override predicate isBarrier(DataFlow::Node node) {
-    exists(Guard debug | isDebugCheck(debug) and debug.controls(node.asExpr().getBasicBlock(), _))
-    or
-    node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass
-  }
-}
+deprecated class WebviewDebugEnabledConfig =
+  WebviewDebuggingEnabledQuery::WebviewDebugEnabledConfig;
@@ -11,9 +11,9 @@
  */
 
 import java
-import semmle.code.java.security.WebviewDubuggingEnabledQuery
-import DataFlow::PathGraph
+import semmle.code.java.security.WebviewDebuggingEnabledQuery
+import WebviewDebugEnabledFlow::PathGraph
 
-from WebviewDebugEnabledConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
-where conf.hasFlowPath(source, sink)
+from WebviewDebugEnabledFlow::PathNode source, WebviewDebugEnabledFlow::PathNode sink
+where WebviewDebugEnabledFlow::flowPath(source, sink)
 select sink, source, sink, "Webview debugging is enabled."
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: deprecated
 +---
 +* The `WebViewDubuggingQuery` library has been renamed to `WebViewDebuggingQuery` to fix the typo in the file name. `WebViewDubuggingQuery` is now deprecated.
Original file line number	Diff line number	Diff line change
`@@ -106,29 +106,29 @@ private class MissingPinningSink extends DataFlow::Node {`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`/** Configuration for finding uses of non trusted URLs. */`
`109`		`-private class UntrustedUrlConfig extends TaintTracking::Configuration {`
`110`		`- UntrustedUrlConfig() { this = "UntrustedUrlConfig" }`
`111`		`-`
`112`		`- override predicate isSource(DataFlow::Node node) {`
	`109`	`+private module UntrustedUrlConfig implements DataFlow::ConfigSig {`
	`110`	`+ predicate isSource(DataFlow::Node node) {`
`113`	`111`	`trustedDomain(_) and`
`114`	`112`	`exists(string lit \| lit = node.asExpr().(CompileTimeConstantExpr).getStringValue() \|`
`115`	`113`	`lit.matches("%://%") and // it's a URL`
`116`	`114`	`not exists(string dom \| trustedDomain(dom) and lit.matches("%" + dom + "%"))`
`117`	`115`	`)`
`118`	`116`	`}`
`119`	`117`
`120`		`- override predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }`
	`118`	`+ predicate isSink(DataFlow::Node node) { node instanceof MissingPinningSink }`
`121`	`119`	`}`
`122`	`120`
	`121`	`+private module UntrustedUrlFlow = TaintTracking::Global<UntrustedUrlConfig>;`
	`122`	`+`
`123`	`123`	/** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
`124`	`124`	`predicate missingPinning(DataFlow::Node node, string domain) {`
`125`	`125`	`isAndroid() and`
`126`	`126`	`node instanceof MissingPinningSink and`
`127`	`127`	`(`
`128`	`128`	`not trustedDomain(_) and domain = ""`
`129`	`129`	`or`
`130`		`- exists(UntrustedUrlConfig conf, DataFlow::Node src \|`
`131`		`- conf.hasFlow(src, node) and`
	`130`	`+ exists(DataFlow::Node src \|`
	`131`	`+ UntrustedUrlFlow::flow(src, node) and`
`132`	`132`	`domain = getDomain(src.asExpr())`
`133`	`133`	`)`
`134`	`134`	`)`
Original file line number	Diff line number	Diff line change
`@@ -14,25 +14,25 @@ private class OnReceiveMethod extends Method {`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	/** A configuration to detect whether the `action` of an `Intent` is checked. */
`17`		`-private class VerifiedIntentConfig extends DataFlow::Configuration {`
`18`		`- VerifiedIntentConfig() { this = "VerifiedIntentConfig" }`
`19`		`-`
`20`		`- override predicate isSource(DataFlow::Node src) {`
	`17`	`+private module VerifiedIntentConfig implements DataFlow::ConfigSig {`
	`18`	`+ predicate isSource(DataFlow::Node src) {`
`21`	`19`	`src.asParameter() = any(OnReceiveMethod orm).getIntentParameter()`
`22`	`20`	`}`
`23`	`21`
`24`		`- override predicate isSink(DataFlow::Node sink) {`
	`22`	`+ predicate isSink(DataFlow::Node sink) {`
`25`	`23`	`exists(MethodAccess ma \|`
`26`	`24`	`ma.getMethod().hasQualifiedName("android.content", "Intent", "getAction") and`
`27`	`25`	`sink.asExpr() = ma.getQualifier()`
`28`	`26`	`)`
`29`	`27`	`}`
`30`	`28`	`}`
`31`	`29`
	`30`	`+private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;`
	`31`	`+`
`32`	`32`	/** An `onReceive` method that doesn't verify the action of the intent it receives. */
`33`	`33`	`private class UnverifiedOnReceiveMethod extends OnReceiveMethod {`
`34`	`34`	`UnverifiedOnReceiveMethod() {`
`35`		`- not any(VerifiedIntentConfig c).hasFlow(DataFlow::parameterNode(this.getIntentParameter()), _)`
	`35`	`+ not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _)`
`36`	`36`	`}`
`37`	`37`	`}`
`38`	`38`
Original file line number	Diff line number	Diff line change
`@@ -91,23 +91,23 @@ private predicate inputTypeFieldNotCached(Field f) {`
`91`	`91`	`}`
`92`	`92`
`93`	`93`	/** Configuration that finds uses of `setInputType` for non cached fields. */
`94`		`-private class GoodInputTypeConf extends DataFlow::Configuration {`
`95`		`- GoodInputTypeConf() { this = "GoodInputTypeConf" }`
`96`		`-`
`97`		`- override predicate isSource(DataFlow::Node node) {`
	`94`	`+private module GoodInputTypeConfig implements DataFlow::ConfigSig {`
	`95`	`+ predicate isSource(DataFlow::Node node) {`
`98`	`96`	`inputTypeFieldNotCached(node.asExpr().(FieldAccess).getField())`
`99`	`97`	`}`
`100`	`98`
`101`		`- override predicate isSink(DataFlow::Node node) { node.asExpr() = setInputTypeForId(_) }`
	`99`	`+ predicate isSink(DataFlow::Node node) { node.asExpr() = setInputTypeForId(_) }`
`102`	`100`
`103`		`- override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
	`101`	`+ predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`104`	`102`	`exists(OrBitwiseExpr bitOr \|`
`105`	`103`	`node1.asExpr() = bitOr.getAChildExpr() and`
`106`	`104`	`node2.asExpr() = bitOr`
`107`	`105`	`)`
`108`	`106`	`}`
`109`	`107`	`}`
`110`	`108`
	`109`	`+private module GoodInputTypeFlow = DataFlow::Global<GoodInputTypeConfig>;`
	`110`	`+`
`111`	`111`	`/** Gets a regex indicating that an input field may contain sensitive data. */`
`112`	`112`	`private string getInputSensitiveInfoRegex() {`
`113`	`113`	`result =`
`@@ -130,8 +130,8 @@ AndroidEditableXmlElement getASensitiveCachedInput() {`
`130`	`130`	`result.getId().regexpMatch(getInputSensitiveInfoRegex()) and`
`131`	`131`	`(`
`132`	`132`	`not inputTypeNotCached(result.getInputType()) and`
`133`		`- not exists(GoodInputTypeConf conf, DataFlow::Node sink \|`
`134`		`- conf.hasFlowTo(sink) and`
	`133`	`+ not exists(DataFlow::Node sink \|`
	`134`	`+ GoodInputTypeFlow::flowTo(sink) and`
`135`	`135`	`sink.asExpr() = setInputTypeForId(result.getId())`
`136`	`136`	`)`
`137`	`137`	`)`