[quandary] more IPC sources

Summary: Adding `Service` and `BroadcastReceiver` endpoints. Reviewed By: helios175 Differential Revision: D4915329 fbshipit-source-id: efbec38
8 years ago · 3024d9aed2
parent 3f67ca3f80
commit 3024d9aed2
3 changed files with 104 additions and 0 deletions
--- a/infer/src/quandary/JavaTrace.ml
+++ b/infer/src/quandary/JavaTrace.ml
@ -110,6 +110,16 @@ module SourceKind = struct
                match Typ.Name.name typename, method_name with
                | "android.app.Activity", ("onActivityResult" | "onNewIntent") ->
                    Some (taint_formals_with_types ["android.content.Intent"] Intent formals)
+                | "android.app.Service",
+                  ("onBind" |
+                   "onRebind" |
+                   "onStart" |
+                   "onStartCommand" |
+                   "onTaskRemoved" |
+                   "onUnbind") ->
+                    Some (taint_formals_with_types ["android.content.Intent"] Intent formals)
+                | "android.content.BroadcastReceiver", "onReceive" ->
+                    Some (taint_formals_with_types ["android.content.Intent"] Intent formals)
                | "android.webkit.WebViewClient",
                  ("onLoadResource" | "shouldInterceptRequest" | "shouldOverrideUrlLoading") ->
                    Some
--- a/infer/tests/codetoanalyze/java/quandary/Intents.java
+++ b/infer/tests/codetoanalyze/java/quandary/Intents.java
@ -13,12 +13,15 @@ import java.io.IOException;
 import java.net.URISyntaxException;

 import android.app.Activity;
+import android.app.Service;
+import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
 import android.content.IntentSender.SendIntentException;
 import android.content.res.Resources;
 import android.net.Uri;
 import android.os.Bundle;
+import android.os.IBinder;

 import com.facebook.infer.builtins.InferTaint;

@ -43,6 +46,90 @@ class MyActivity extends Activity {
  public void onNewIntent(Intent intent) {
    startService(intent);
  }
+
+  private BroadcastReceiver mReceiver;
+  private Uri mUri;
+
+  @Override
+  public void onCreate(Bundle savedInstanceState) {
+    mReceiver = new BroadcastReceiver() {
+        @Override
+        // intent is modeled as tainted
+        public void onReceive(Context context, Intent intent) {
+          mUri = intent.getData();
+        }
+      };
+    registerReceiver(mReceiver, null);
+  }
+
+
+  @Override
+  public void onResume() {
+    FN_startServiceWithTaintedIntent();
+  }
+
+  // need to understand the lifecycle to get this
+  void FN_startServiceWithTaintedIntent() {
+    Intent taintedIntent = new Intent("", mUri);
+    startService(taintedIntent);
+  }
+}
+
+class MyBroadcastReceiver extends BroadcastReceiver {
+
+  Activity mActivity;
+
+  @Override
+  // intent is modeled as tainted
+  public void onReceive(Context context, Intent intent) {
+    mActivity.startService(intent);
+  }
+
+}
+
+class MyService extends Service {
+
+  Activity mActivity;
+
+  @Override
+  // intent is modeled as tainted
+  public IBinder onBind(Intent intent) {
+    mActivity.startService(intent);
+    return null;
+  }
+
+  @Override
+  // intent is modeled as tainted
+  public void onRebind(Intent intent) {
+    mActivity.startService(intent);
+  }
+
+  @Override
+  // intent is modeled as tainted
+  public void onStart(Intent intent, int startId) {
+    mActivity.startService(intent);
+  }
+
+  @Override
+  // intent is modeled as tainted
+  public int onStartCommand(Intent intent, int flags, int startId) {
+    mActivity.startService(intent);
+    return 0;
+  }
+
+  @Override
+  // intent is modeled as tainted
+  public void onTaskRemoved(Intent intent) {
+    mActivity.startService(intent);
+  }
+
+  @Override
+  // intent is modeled as tainted
+  public boolean onUnbind(Intent intent) {
+    mActivity.startService(intent);
+    return false;
+  }
+
 }

 public class Intents {
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@ -57,6 +57,9 @@ codetoanalyze/java/quandary/Fields.java, void Fields.viaNestedFieldBad2(), 4, QU
 codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad1(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),return from void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad2(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.interproceduralFlowSensitivityBad(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),return from void FlowSensitivity.returnSource(FlowSensitivity$Obj),call to void FlowSensitivity.callSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Intents.java, IBinder MyService.onBind(Intent), 1, QUANDARY_TAINT_ERROR, [return from IBinder MyService.onBind(Intent),call to ComponentName ContextWrapper.startService(Intent)]
+codetoanalyze/java/quandary/Intents.java, boolean MyService.onUnbind(Intent), 1, QUANDARY_TAINT_ERROR, [return from boolean MyService.onUnbind(Intent),call to ComponentName ContextWrapper.startService(Intent)]
+codetoanalyze/java/quandary/Intents.java, int MyService.onStartCommand(Intent,int,int), 1, QUANDARY_TAINT_ERROR, [return from int MyService.onStartCommand(Intent,int,int),call to ComponentName ContextWrapper.startService(Intent)]
 codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean ContextWrapper.bindService(Intent,ServiceConnection,int)]
 codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcast(Intent)]
 codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)]
@ -92,6 +95,10 @@ codetoanalyze/java/quandary/Intents.java, void Intents.reuseIntentBad(Activity),
 codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Context.startActivity(Intent)]
 codetoanalyze/java/quandary/Intents.java, void MyActivity.onActivityResult(int,int,Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyActivity.onActivityResult(int,int,Intent),call to ComponentName ContextWrapper.startService(Intent)]
 codetoanalyze/java/quandary/Intents.java, void MyActivity.onNewIntent(Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyActivity.onNewIntent(Intent),call to ComponentName ContextWrapper.startService(Intent)]
+codetoanalyze/java/quandary/Intents.java, void MyBroadcastReceiver.onReceive(Context,Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyBroadcastReceiver.onReceive(Context,Intent),call to ComponentName ContextWrapper.startService(Intent)]
+codetoanalyze/java/quandary/Intents.java, void MyService.onRebind(Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyService.onRebind(Intent),call to ComponentName ContextWrapper.startService(Intent)]
+codetoanalyze/java/quandary/Intents.java, void MyService.onStart(Intent,int), 1, QUANDARY_TAINT_ERROR, [return from void MyService.onStart(Intent,int),call to ComponentName ContextWrapper.startService(Intent)]
+codetoanalyze/java/quandary/Intents.java, void MyService.onTaskRemoved(Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyService.onTaskRemoved(Intent),call to ComponentName ContextWrapper.startService(Intent)]
 codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSinkInterprocedural(Object), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSourceAndSinkInterprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),return from Object Interprocedural.returnSourceIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]