pghs975uc
/
infer_clone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

[quandary][java] Intent.parseIntent/Intent.parseUri should propagate taint, not create it

Browse Source 
Reviewed By: dkgi

Differential Revision: D4377669

fbshipit-source-id: 393e4f5
master
Sam Blackshear 8 years ago committed by Facebook Github Bot
parent 8d0f6e822c
commit 1403e9c898
3 changed files with 29 additions and 54 deletions
Show Stats Download Patch File Download Diff File

9
infer/src/quandary/JavaTrace.ml
Unescape View File

@ -26,7 +26,7 @@ module SourceKind = struct
| Procname.Java pname ->
begin
match Procname.java_get_class_name pname, Procname.java_get_method pname with
| "android.content.Intent", ("getStringExtra" | "parseUri" | "parseIntent") ->
| "android.content.Intent", "getStringExtra" ->
Some Intent
| "android.content.SharedPreferences", "getString" ->
Some PrivateData
@ -176,10 +176,9 @@ include
let should_report source sink =
match Source.kind source, Sink.kind sink with
| Other, Other
| PrivateData, Logging ->
true
| Intent, Intent ->
| PrivateData, Logging
| Intent, Intent
| Other, _ | _, Other ->
true
| _ ->
false

15
infer/tests/codetoanalyze/java/quandary/Intents.java
Unescape View File

@ -29,16 +29,7 @@ public class Intents {
public void callAllActivitySinksBad(Activity activity, String uri) throws
IOException, URISyntaxException, XmlPullParserException {
Intent intent = null;
switch (rand()) {
case 1:
intent = Intent.parseUri(null, 0);
break;
case 2:
intent = Intent.parseIntent(null, null, null);
break;
}
Intent intent = (Intent) InferTaint.inferSecretSource();
activity.bindService(intent, null, 0);
activity.sendBroadcast(intent);
@ -54,13 +45,13 @@ public class Intents {
activity.startActivityIfNeeded(intent, 0);
activity.startActivityFromChild(null, intent, 0);
activity.startActivityFromFragment(null, intent, 0);
activity.startService(intent); // 2 sinks * 15 sources = 30 expected reports
activity.startService(intent); // 15 sinks, 15 expected reports
}
public void callAllIntentSinksBad(Intent cleanIntent) throws
IOException, URISyntaxException, XmlPullParserException {
String taintedString = cleanIntent.getStringExtra("");
Intent taintedIntent = Intent.parseUri(null, 0);
Intent taintedIntent = (Intent) InferTaint.inferSecretSource();
Resources taintedResources = (Resources) ((Object) taintedString);
Uri taintedUri = taintedIntent.getData();

59
infer/tests/codetoanalyze/java/quandary/issues.exp
Unescape View File

@ -53,49 +53,34 @@ codetoanalyze/java/quandary/Fields.java, void Fields.viaNestedFieldBad2(), 4, QU
codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad1(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),return from void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad2(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.interproceduralFlowSensitivityBad(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),return from void FlowSensitivity.returnSource(FlowSensitivity$Obj),call to void FlowSensitivity.callSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to boolean ContextWrapper.bindService(Intent,ServiceConnection,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to boolean ContextWrapper.bindService(Intent,ServiceConnection,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendBroadcast(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendBroadcast(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendStickyBroadcast(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendStickyBroadcast(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 19, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 19, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 20, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 20, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 21, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivities(android.content.Intent[])]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 21, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivities(android.content.Intent[])]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 22, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivity(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 22, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivity(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 23, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivityForResult(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 23, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivityForResult(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 24, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to boolean Activity.startActivityIfNeeded(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 24, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to boolean Activity.startActivityIfNeeded(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 25, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivityFromChild(Activity,Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 25, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivityFromChild(Activity,Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 26, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Activity.startActivityFromFragment(Fragment,Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 26, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to void Activity.startActivityFromFragment(Fragment,Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 27, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to ComponentName ContextWrapper.startService(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 27, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet),call to ComponentName ContextWrapper.startService(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 8, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to int Intent.fillIn(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean ContextWrapper.bindService(Intent,ServiceConnection,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcast(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 7, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcast(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 9, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 10, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 11, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivities(android.content.Intent[])]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivity(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityForResult(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean Activity.startActivityIfNeeded(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromChild(Activity,Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromFragment(Fragment,Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to ComponentName ContextWrapper.startService(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to int Intent.fillIn(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 9, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.makeMainSelectorActivity(String,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 10, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 11, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.parseUri(String,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 12, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.replaceExtras(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.replaceExtras(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 13, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setAction(String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 14, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setClassName(String,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 15, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.setData(Uri)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 16, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.setDataAndNormalize(Uri)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 17, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.setDataAndType(Uri,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 18, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to Intent Intent.setDataAndTypeAndNormalize(Uri,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 15, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setData(Uri)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 16, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setDataAndNormalize(Uri)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 17, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setDataAndType(Uri,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 18, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setDataAndTypeAndNormalize(Uri,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 19, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setPackage(String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 20, QUANDARY_TAINT_ERROR, [return from Intent Intent.parseUri(String,int),call to void Intent.setSelector(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 20, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Intent.setSelector(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 21, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setType(String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 22, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setTypeAndNormalize(String)]
codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]

Write Preview
Loading…
Cancel
Save