From 1403e9c8987e9b073e8d50307043ac555860b4e0 Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Wed, 4 Jan 2017 10:45:27 -0800 Subject: [PATCH] [quandary][java] Intent.parseIntent/Intent.parseUri should propagate taint, not create it Reviewed By: dkgi Differential Revision: D4377669 fbshipit-source-id: 393e4f5 --- infer/src/quandary/JavaTrace.ml | 9 ++- .../codetoanalyze/java/quandary/Intents.java | 15 +---- .../codetoanalyze/java/quandary/issues.exp | 59 +++++++------------ 3 files changed, 29 insertions(+), 54 deletions(-) diff --git a/infer/src/quandary/JavaTrace.ml b/infer/src/quandary/JavaTrace.ml index bc4be0285..4ee31eb27 100644 --- a/infer/src/quandary/JavaTrace.ml +++ b/infer/src/quandary/JavaTrace.ml @@ -26,7 +26,7 @@ module SourceKind = struct | Procname.Java pname -> begin match Procname.java_get_class_name pname, Procname.java_get_method pname with - | "android.content.Intent", ("getStringExtra" | "parseUri" | "parseIntent") -> + | "android.content.Intent", "getStringExtra" -> Some Intent | "android.content.SharedPreferences", "getString" -> Some PrivateData @@ -176,10 +176,9 @@ include let should_report source sink = match Source.kind source, Sink.kind sink with - | Other, Other - | PrivateData, Logging -> - true - | Intent, Intent -> + | PrivateData, Logging + | Intent, Intent + | Other, _ | _, Other -> true | _ -> false diff --git a/infer/tests/codetoanalyze/java/quandary/Intents.java b/infer/tests/codetoanalyze/java/quandary/Intents.java index 9a591b637..dbed01ca7 100644 --- a/infer/tests/codetoanalyze/java/quandary/Intents.java +++ b/infer/tests/codetoanalyze/java/quandary/Intents.java @@ -29,16 +29,7 @@ public class Intents { public void callAllActivitySinksBad(Activity activity, String uri) throws IOException, URISyntaxException, XmlPullParserException { - Intent intent = null; - - switch (rand()) { - case 1: - intent = Intent.parseUri(null, 0); - break; - case 2: - intent = Intent.parseIntent(null, null, null); - break; - } + Intent intent = (Intent) InferTaint.inferSecretSource(); activity.bindService(intent, null, 0); activity.sendBroadcast(intent); @@ -54,13 +45,13 @@ public class Intents { activity.startActivityIfNeeded(intent, 0); activity.startActivityFromChild(null, intent, 0); activity.startActivityFromFragment(null, intent, 0); - activity.startService(intent); // 2 sinks * 15 sources = 30 expected reports + activity.startService(intent); // 15 sinks, 15 expected reports } public void callAllIntentSinksBad(Intent cleanIntent) throws IOException, URISyntaxException, XmlPullParserException { String taintedString = cleanIntent.getStringExtra(""); - Intent taintedIntent = Intent.parseUri(null, 0); + Intent taintedIntent = (Intent) InferTaint.inferSecretSource(); Resources taintedResources = (Resources) ((Object) taintedString); Uri taintedUri = taintedIntent.getData(); diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 2b62f632c..7ac41e074 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -53,49 +53,34 @@ codetoanalyze/java/quandary/Fields.java, void Fields.viaNestedFieldBad2(), 4, QU codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad1(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),return from void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad2(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.interproceduralFlowSensitivityBad(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),return from void FlowSensitivity.returnSource(FlowSensitivity$Obj),call to void FlowSensitivity.callSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to boolean ContextWrapper.bindService(Intent,ServiceConnection,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to boolean ContextWrapper.bindService(Intent,ServiceConnection,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendBroadcast(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendBroadcast(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendStickyBroadcast(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendStickyBroadcast(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 19, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 19, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 20, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 20, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 21, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivities(android.content.Intent[])] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 21, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivities(android.content.Intent[])] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 22, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivity(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 22, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivity(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 23, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivityForResult(Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 23, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivityForResult(Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 24, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to boolean Activity.startActivityIfNeeded(Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 24, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to boolean Activity.startActivityIfNeeded(Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 25, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivityFromChild(Activity,Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 25, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivityFromChild(Activity,Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 26, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivityFromFragment(Fragment,Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 26, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivityFromFragment(Fragment,Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 27, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to ComponentName ContextWrapper.startService(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 27, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to ComponentName ContextWrapper.startService(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 8, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to int Intent.fillIn(Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean ContextWrapper.bindService(Intent,ServiceConnection,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcast(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 7, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcast(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 9, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 10, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 11, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivities(android.content.Intent[])] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivity(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityForResult(Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean Activity.startActivityIfNeeded(Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromChild(Activity,Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromFragment(Fragment,Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to int Intent.fillIn(Intent,int)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 9, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.makeMainSelectorActivity(String,String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 10, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 11, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.parseUri(String,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 12, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.replaceExtras(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.replaceExtras(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 13, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setAction(String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 14, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setClassName(String,String)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 15, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.setData(Uri)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 16, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.setDataAndNormalize(Uri)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 17, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.setDataAndType(Uri,String)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 18, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.setDataAndTypeAndNormalize(Uri,String)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 15, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setData(Uri)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 16, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setDataAndNormalize(Uri)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 17, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setDataAndType(Uri,String)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 18, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setDataAndTypeAndNormalize(Uri,String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 19, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setPackage(String)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 20, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Intent.setSelector(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 20, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Intent.setSelector(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 21, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setType(String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 22, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setTypeAndNormalize(String)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]