[quandary] Warn on reusing result returned from getIntent

Reviewed By: mburman

Differential Revision: D4388824

fbshipit-source-id: ebb13cc
master
Sam Blackshear 8 years ago committed by Facebook Github Bot
parent 915282105d
commit 2a4b29fedb

@ -41,6 +41,8 @@ module SourceKind = struct
| class_name, method_name -> | class_name, method_name ->
let taint_matching_supertype typename _ = let taint_matching_supertype typename _ =
match Typename.name typename, method_name with match Typename.name typename, method_name with
| "android.app.Activity", "getIntent" ->
Some Intent
| "android.content.Intent", "getStringExtra" -> | "android.content.Intent", "getStringExtra" ->
Some Intent Some Intent
| "android.content.SharedPreferences", "getString" -> | "android.content.SharedPreferences", "getString" ->
@ -136,6 +138,7 @@ module SinkKind = struct
"sendBroadcast" | "sendBroadcast" |
"sendBroadcastAsUser" | "sendBroadcastAsUser" |
"sendOrderedBroadcast" | "sendOrderedBroadcast" |
"sendOrderedBroadcastAsUser" |
"sendStickyBroadcast" | "sendStickyBroadcast" |
"sendStickyBroadcastAsUser" | "sendStickyBroadcastAsUser" |
"sendStickyOrderedBroadcast" | "sendStickyOrderedBroadcast" |
@ -145,8 +148,11 @@ module SinkKind = struct
"startActivityForResult" | "startActivityForResult" |
"startActivityIfNeeded" | "startActivityIfNeeded" |
"startNextMatchingActivity" | "startNextMatchingActivity" |
"startService") -> "startService" |
"stopService") ->
Some (taint_nth 0 Intent ~report_reachable:true) Some (taint_nth 0 Intent ~report_reachable:true)
| "android.content.Context", "startIntentSender" ->
Some (taint_nth 1 Intent ~report_reachable:true)
| "android.content.Intent", | "android.content.Intent",
("fillIn" | ("fillIn" |
"makeMainSelectorActivity" | "makeMainSelectorActivity" |

@ -15,6 +15,7 @@ import java.net.URISyntaxException;
import android.app.Activity; import android.app.Activity;
import android.content.Context; import android.content.Context;
import android.content.Intent; import android.content.Intent;
import android.content.IntentSender.SendIntentException;
import android.content.res.Resources; import android.content.res.Resources;
import android.net.Uri; import android.net.Uri;
import android.os.Bundle; import android.os.Bundle;
@ -34,13 +35,14 @@ public class Intents {
private native int rand(); private native int rand();
public void callAllActivitySinksBad(Activity activity, String uri) throws public void callAllActivitySinksBad(Activity activity, String uri) throws
IOException, URISyntaxException, XmlPullParserException { SendIntentException, IOException, URISyntaxException, XmlPullParserException {
Intent intent = (Intent) InferTaint.inferSecretSource(); Intent intent = (Intent) InferTaint.inferSecretSource();
activity.bindService(intent, null, 0); activity.bindService(intent, null, 0);
activity.sendBroadcast(intent); activity.sendBroadcast(intent);
activity.sendBroadcastAsUser(intent, null); activity.sendBroadcastAsUser(intent, null);
activity.sendOrderedBroadcast(intent, null); activity.sendOrderedBroadcast(intent, null);
activity.sendOrderedBroadcastAsUser(intent, null, null, null, null, 0, null, null);
activity.sendStickyBroadcast(intent); activity.sendStickyBroadcast(intent);
activity.sendStickyBroadcastAsUser(intent, null); activity.sendStickyBroadcastAsUser(intent, null);
activity.sendStickyOrderedBroadcast(intent, null, null, 0, null, null); activity.sendStickyOrderedBroadcast(intent, null, null, 0, null, null);
@ -51,7 +53,9 @@ public class Intents {
activity.startActivityIfNeeded(intent, 0); activity.startActivityIfNeeded(intent, 0);
activity.startActivityFromChild(null, intent, 0); activity.startActivityFromChild(null, intent, 0);
activity.startActivityFromFragment(null, intent, 0); activity.startActivityFromFragment(null, intent, 0);
activity.startService(intent); // 15 sinks, 15 expected reports activity.startIntentSender(null, intent, 0, 0, 0);
activity.startService(intent);
activity.stopService(intent); // 18 sinks, 18 expected reports
} }
public void callAllIntentSinksBad(Intent cleanIntent) throws public void callAllIntentSinksBad(Intent cleanIntent) throws
@ -86,4 +90,8 @@ public class Intents {
context.startActivity(intent); context.startActivity(intent);
} }
void reuseIntentBad(Activity activity) {
activity.startActivity(activity.getIntent());
}
} }

@ -57,17 +57,20 @@ codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(A
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcast(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcast(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 7, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 7, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendOrderedBroadcast(Intent,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcast(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendOrderedBroadcastAsUser(Intent,UserHandle,String,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 9, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 9, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcast(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 10, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 10, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyBroadcastAsUser(Intent,UserHandle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 11, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 11, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcast(Intent,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivities(android.content.Intent[])] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendStickyOrderedBroadcastAsUser(Intent,UserHandle,BroadcastReceiver,Handler,int,String,Bundle)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivity(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 13, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivities(android.content.Intent[])]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityForResult(Intent,int)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 14, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivity(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean Activity.startActivityIfNeeded(Intent,int)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 15, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityForResult(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromChild(Activity,Intent,int)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 16, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean Activity.startActivityIfNeeded(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromFragment(Fragment,Intent,int)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 17, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromChild(Activity,Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to ComponentName ContextWrapper.startService(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 18, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startActivityFromFragment(Fragment,Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 19, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Activity.startIntentSender(IntentSender,Intent,int,int,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 20, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to ComponentName ContextWrapper.startService(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 21, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean ContextWrapper.stopService(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to int Intent.fillIn(Intent,int)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 8, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to int Intent.fillIn(Intent,int)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 9, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.makeMainSelectorActivity(String,String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 9, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.makeMainSelectorActivity(String,String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 10, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 10, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.parseIntent(Resources,XmlPullParser,AttributeSet)]
@ -83,6 +86,7 @@ codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Int
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 20, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Intent.setSelector(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 20, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Intent.setSelector(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 21, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setType(String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 21, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setType(String)]
codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 22, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setTypeAndNormalize(String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 22, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setTypeAndNormalize(String)]
codetoanalyze/java/quandary/Intents.java, void Intents.reuseIntentBad(Activity), 1, QUANDARY_TAINT_ERROR, [return from Intent Activity.getIntent(),call to void Activity.startActivity(Intent)]
codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setAction(String)] codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setAction(String)]
codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSinkInterprocedural(Object), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSinkInterprocedural(Object), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]

Loading…
Cancel
Save