[quandary] java shell exec as sink

Reviewed By: oebeling

Differential Revision: D6812484

fbshipit-source-id: d9f7270
master
Sam Blackshear 7 years ago committed by Facebook Github Bot
parent 268e0b9b5f
commit 27172f7f8a

@ -244,6 +244,7 @@ module SinkKind = struct
| HTML (** sink that creates HTML *) | HTML (** sink that creates HTML *)
| JavaScript (** sink that passes its arguments to untrusted JS code *) | JavaScript (** sink that passes its arguments to untrusted JS code *)
| Logging (** sink that logs one or more of its arguments *) | Logging (** sink that logs one or more of its arguments *)
| ShellExec (** sink that runs a shell command *)
| StartComponent (** sink that launches an Activity, Service, etc. *) | StartComponent (** sink that launches an Activity, Service, etc. *)
| Other (** for testing or uncategorized sinks *) | Other (** for testing or uncategorized sinks *)
[@@deriving compare] [@@deriving compare]
@ -265,6 +266,8 @@ module SinkKind = struct
Logging Logging
| "OpenDrawableResource" -> | "OpenDrawableResource" ->
OpenDrawableResource OpenDrawableResource
| "ShellExec" ->
ShellExec
| "StartComponent" -> | "StartComponent" ->
StartComponent StartComponent
| _ -> | _ ->
@ -364,6 +367,8 @@ module SinkKind = struct
| "postUrl" | "postUrl"
| "postWebMessage" ) ) -> | "postWebMessage" ) ) ->
taint_all JavaScript taint_all JavaScript
| "java.lang.Runtime", "exec" ->
taint_nth 0 ShellExec
| class_name, method_name -> | class_name, method_name ->
(* check the list of externally specified sinks *) (* check the list of externally specified sinks *)
let procedure = class_name ^ "." ^ method_name in let procedure = class_name ^ "." ^ method_name in
@ -405,6 +410,8 @@ module SinkKind = struct
"Logging" "Logging"
| OpenDrawableResource -> | OpenDrawableResource ->
"OpenDrawableResource" "OpenDrawableResource"
| ShellExec ->
"ShellExec"
| StartComponent -> | StartComponent ->
"StartComponent" "StartComponent"
| Other -> | Other ->
@ -474,6 +481,8 @@ include Trace.Make (struct
Some IssueType.create_intent_from_uri Some IssueType.create_intent_from_uri
| PrivateData, Logging -> | PrivateData, Logging ->
Some IssueType.logging_private_data Some IssueType.logging_private_data
| (Intent | UserControlledString | UserControlledURI), ShellExec ->
Some IssueType.shell_injection
| Other, _ | _, Other -> | Other, _ | _, Other ->
(* for testing purposes, Other matches everything *) (* for testing purposes, Other matches everything *)
Some IssueType.quandary_taint_error Some IssueType.quandary_taint_error

@ -14,6 +14,8 @@ import android.content.ClipboardManager;
import android.text.Html; import android.text.Html;
import android.text.Spanned; import android.text.Spanned;
import android.widget.EditText; import android.widget.EditText;
import java.io.IOException;
import java.lang.Runtime;
import com.facebook.infer.builtins.InferTaint; import com.facebook.infer.builtins.InferTaint;
@ -38,4 +40,14 @@ public class UserControlledStrings {
return Html.fromHtml(mEditText.getText().toString()); return Html.fromHtml(mEditText.getText().toString());
} }
void clipboardToShellDirectBad() throws IOException {
Runtime.getRuntime().exec(clipboard.getText().toString());
}
void clipboardToShellArrayBad() throws IOException {
String[] cmds = new String[] { "ls", clipboard.getText().toString() };
Runtime.getRuntime().exec(cmds);
}
} }

@ -204,6 +204,8 @@ codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnkno
codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownNativeCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownNativeCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.clipboardToHtmlBad(), 1, CROSS_SITE_SCRIPTING, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String) with tainted index 0] codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.clipboardToHtmlBad(), 1, CROSS_SITE_SCRIPTING, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String) with tainted index 0]
codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.editTextToHtmlBad(), 1, CROSS_SITE_SCRIPTING, [Return from Editable EditText.getText(),Call to Spanned Html.fromHtml(String) with tainted index 0] codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.editTextToHtmlBad(), 1, CROSS_SITE_SCRIPTING, [Return from Editable EditText.getText(),Call to Spanned Html.fromHtml(String) with tainted index 0]
codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.clipboardToShellArrayBad(), 2, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to Process Runtime.exec(java.lang.String[]) with tainted index 1]
codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.clipboardToShellDirectBad(), 1, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to Process Runtime.exec(String) with tainted index 1]
codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 2, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 2, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]

Loading…
Cancel
Save