Add RemoteFlowSource as a valid source

egregius313 · egregius313 · commit 0eaad4136e1e · 2023-03-08T12:12:11.000-05:00
diff --git a/java/ql/src/Security/CWE/CWE-094/ArbitraryAPKInstallation.ql b/java/ql/src/Security/CWE/CWE-094/ArbitraryAPKInstallation.ql
@@ -15,6 +15,7 @@ import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking2
 import semmle.code.java.dataflow.TaintTracking3
+import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
 import DataFlow::PathGraph
 
@@ -85,7 +86,8 @@ class ExternalApkSource extends DataFlow::Node {
   ExternalApkSource() {
     sourceNode(this, "android-external-storage-dir") or
     this.asExpr().(MethodAccess).getMethod() instanceof UriConstructorMethod or
-    this.asExpr().(StringLiteral).getValue().matches("file://%")
+    this.asExpr().(StringLiteral).getValue().matches("file://%") or
+    this instanceof RemoteFlowSource
   }
 }
 
