From 2a4b29fedb9272e99ecc56ec02cc153dbb26f1e0 Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Mon, 9 Jan 2017 13:11:50 -0800 Subject: [PATCH] [quandary] Warn on reusing result returned from getIntent Reviewed By: mburman Differential Revision: D4388824 fbshipit-source-id: ebb13cc --- infer/src/quandary/JavaTrace.ml | 8 +++++- .../codetoanalyze/java/quandary/Intents.java | 12 +++++++-- .../codetoanalyze/java/quandary/issues.exp | 26 +++++++++++-------- 3 files changed, 32 insertions(+), 14 deletions(-) diff --git a/infer/src/quandary/JavaTrace.ml b/infer/src/quandary/JavaTrace.ml index 7c3bef7f8..230c85745 100644 --- a/infer/src/quandary/JavaTrace.ml +++ b/infer/src/quandary/JavaTrace.ml @@ -41,6 +41,8 @@ module SourceKind = struct | class_name, method_name -> let taint_matching_supertype typename _ = match Typename.name typename, method_name with + | "android.app.Activity", "getIntent" -> + Some Intent | "android.content.Intent", "getStringExtra" -> Some Intent | "android.content.SharedPreferences", "getString" -> @@ -136,6 +138,7 @@ module SinkKind = struct "sendBroadcast" | "sendBroadcastAsUser" | "sendOrderedBroadcast" | + "sendOrderedBroadcastAsUser" | "sendStickyBroadcast" | "sendStickyBroadcastAsUser" | "sendStickyOrderedBroadcast" | @@ -145,8 +148,11 @@ module SinkKind = struct "startActivityForResult" | "startActivityIfNeeded" | "startNextMatchingActivity" | - "startService") -> + "startService" | + "stopService") -> Some (taint_nth 0 Intent ~report_reachable:true) + | "android.content.Context", "startIntentSender" -> + Some (taint_nth 1 Intent ~report_reachable:true) | "android.content.Intent", ("fillIn" | "makeMainSelectorActivity" | diff --git a/infer/tests/codetoanalyze/java/quandary/Intents.java b/infer/tests/codetoanalyze/java/quandary/Intents.java index a1c7a38df..4414d1069 100644 --- a/infer/tests/codetoanalyze/java/quandary/Intents.java +++ b/infer/tests/codetoanalyze/java/quandary/Intents.java @@ -15,6 +15,7 @@ import java.net.URISyntaxException; import android.app.Activity; import android.content.Context; import android.content.Intent; +import android.content.IntentSender.SendIntentException; import android.content.res.Resources; import android.net.Uri; import android.os.Bundle; @@ -34,13 +35,14 @@ public class Intents { private native int rand(); public void callAllActivitySinksBad(Activity activity, String uri) throws - IOException, URISyntaxException, XmlPullParserException { + SendIntentException, IOException, URISyntaxException, XmlPullParserException { Intent intent = (Intent) InferTaint.inferSecretSource(); activity.bindService(intent, null, 0); activity.sendBroadcast(intent); activity.sendBroadcastAsUser(intent, null); activity.sendOrderedBroadcast(intent, null); + activity.sendOrderedBroadcastAsUser(intent, null, null, null, null, 0, null, null); activity.sendStickyBroadcast(intent); activity.sendStickyBroadcastAsUser(intent, null); activity.sendStickyOrderedBroadcast(intent, null, null, 0, null, null); @@ -51,7 +53,9 @@ public class Intents { activity.startActivityIfNeeded(intent, 0); activity.startActivityFromChild(null, intent, 0); activity.startActivityFromFragment(null, intent, 0); - activity.startService(intent); // 15 sinks, 15 expected reports + activity.startIntentSender(null, intent, 0, 0, 0); + activity.startService(intent); + activity.stopService(intent); // 18 sinks, 18 expected reports } public void callAllIntentSinksBad(Intent cleanIntent) throws @@ -86,4 +90,8 @@ public class Intents { context.startActivity(intent); } + void reuseIntentBad(Activity activity) { + activity.startActivity(activity.getIntent()); + } + } diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index eded6ed8a..5a02e3512 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -57,17 +57,20 @@ codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(A codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcast(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 7, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcast(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 9, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 10, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 11, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivities(android.content.Intent[])] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivity(Intent)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityForResult(Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean Activity.startActivityIfNeeded(Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromChild(Activity,Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromFragment(Fragment,Intent,int)] -codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendOrderedBroadcastAsUser(Intent,UserHandle,String,BroadcastReceiver,Handler,int,String,Bundle)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 9, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcast(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 10, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 11, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivities(android.content.Intent[])] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivity(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityForResult(Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean Activity.startActivityIfNeeded(Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromChild(Activity,Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromFragment(Fragment,Intent,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 19, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startIntentSender(IntentSender,Intent,int,int,int)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 20, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 21, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean ContextWrapper.stopService(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to int Intent.fillIn(Intent,int)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 9, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.makeMainSelectorActivity(String,String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 10, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet)] @@ -83,6 +86,7 @@ codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Int codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 20, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Intent.setSelector(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 21, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setType(String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 22, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setTypeAndNormalize(String)] +codetoanalyze/java/quandary/Intents.java, void Intents.reuseIntentBad(Activity), 1, QUANDARY_TAINT_ERROR, [return from Intent Activity.getIntent(),call to void Activity.startActivity(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setAction(String)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSinkInterprocedural(Object), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]