From 3024d9aed26eeb44ebfa948edc6e6472086739eb Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Thu, 20 Apr 2017 16:30:10 -0700 Subject: [PATCH] [quandary] more IPC sources Summary: Adding `Service` and `BroadcastReceiver` endpoints. Reviewed By: helios175 Differential Revision: D4915329 fbshipit-source-id: efbec38 --- infer/src/quandary/JavaTrace.ml | 10 +++ .../codetoanalyze/java/quandary/Intents.java | 87 +++++++++++++++++++ .../codetoanalyze/java/quandary/issues.exp | 7 ++ 3 files changed, 104 insertions(+) diff --git a/infer/src/quandary/JavaTrace.ml b/infer/src/quandary/JavaTrace.ml index f338afda5..96b360918 100644 --- a/infer/src/quandary/JavaTrace.ml +++ b/infer/src/quandary/JavaTrace.ml @@ -110,6 +110,16 @@ module SourceKind = struct match Typ.Name.name typename, method_name with | "android.app.Activity", ("onActivityResult" | "onNewIntent") -> Some (taint_formals_with_types ["android.content.Intent"] Intent formals) + | "android.app.Service", + ("onBind" | + "onRebind" | + "onStart" | + "onStartCommand" | + "onTaskRemoved" | + "onUnbind") -> + Some (taint_formals_with_types ["android.content.Intent"] Intent formals) + | "android.content.BroadcastReceiver", "onReceive" -> + Some (taint_formals_with_types ["android.content.Intent"] Intent formals) | "android.webkit.WebViewClient", ("onLoadResource" | "shouldInterceptRequest" | "shouldOverrideUrlLoading") -> Some diff --git a/infer/tests/codetoanalyze/java/quandary/Intents.java b/infer/tests/codetoanalyze/java/quandary/Intents.java index 53c7490b9..132677ffa 100644 --- a/infer/tests/codetoanalyze/java/quandary/Intents.java +++ b/infer/tests/codetoanalyze/java/quandary/Intents.java @@ -13,12 +13,15 @@ import java.io.IOException; import java.net.URISyntaxException; import android.app.Activity; +import android.app.Service; +import android.content.BroadcastReceiver; import android.content.Context; import android.content.Intent; import android.content.IntentSender.SendIntentException; import android.content.res.Resources; import android.net.Uri; import android.os.Bundle; +import android.os.IBinder; import com.facebook.infer.builtins.InferTaint; @@ -43,6 +46,90 @@ class MyActivity extends Activity { public void onNewIntent(Intent intent) { startService(intent); } + + private BroadcastReceiver mReceiver; + private Uri mUri; + + @Override + public void onCreate(Bundle savedInstanceState) { + mReceiver = new BroadcastReceiver() { + @Override + // intent is modeled as tainted + public void onReceive(Context context, Intent intent) { + mUri = intent.getData(); + } + }; + registerReceiver(mReceiver, null); + } + + + @Override + public void onResume() { + FN_startServiceWithTaintedIntent(); + } + + // need to understand the lifecycle to get this + void FN_startServiceWithTaintedIntent() { + Intent taintedIntent = new Intent("", mUri); + startService(taintedIntent); + } +} + +class MyBroadcastReceiver extends BroadcastReceiver { + + Activity mActivity; + + @Override + // intent is modeled as tainted + public void onReceive(Context context, Intent intent) { + mActivity.startService(intent); + } + +} + +class MyService extends Service { + + Activity mActivity; + + @Override + // intent is modeled as tainted + public IBinder onBind(Intent intent) { + mActivity.startService(intent); + return null; + } + + @Override + // intent is modeled as tainted + public void onRebind(Intent intent) { + mActivity.startService(intent); + } + + @Override + // intent is modeled as tainted + public void onStart(Intent intent, int startId) { + mActivity.startService(intent); + } + + @Override + // intent is modeled as tainted + public int onStartCommand(Intent intent, int flags, int startId) { + mActivity.startService(intent); + return 0; + } + + @Override + // intent is modeled as tainted + public void onTaskRemoved(Intent intent) { + mActivity.startService(intent); + } + + @Override + // intent is modeled as tainted + public boolean onUnbind(Intent intent) { + mActivity.startService(intent); + return false; + } + } public class Intents { diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 8525912f7..4ea6ff1b6 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -57,6 +57,9 @@ codetoanalyze/java/quandary/Fields.java, void Fields.viaNestedFieldBad2(), 4, QU codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad1(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),return from void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.callSourceAndSinkBad2(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void FlowSensitivity.sourceAndSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/FlowSensitivity.java, void FlowSensitivity.interproceduralFlowSensitivityBad(FlowSensitivity$Obj), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),return from void FlowSensitivity.returnSource(FlowSensitivity$Obj),call to void FlowSensitivity.callSink(FlowSensitivity$Obj),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/Intents.java, IBinder MyService.onBind(Intent), 1, QUANDARY_TAINT_ERROR, [return from IBinder MyService.onBind(Intent),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, boolean MyService.onUnbind(Intent), 1, QUANDARY_TAINT_ERROR, [return from boolean MyService.onUnbind(Intent),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, int MyService.onStartCommand(Intent,int,int), 1, QUANDARY_TAINT_ERROR, [return from int MyService.onStartCommand(Intent,int,int),call to ComponentName ContextWrapper.startService(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean ContextWrapper.bindService(Intent,ServiceConnection,int)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcast(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllActivitySinksBad(Activity,String), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void ContextWrapper.sendBroadcastAsUser(Intent,UserHandle)] @@ -92,6 +95,10 @@ codetoanalyze/java/quandary/Intents.java, void Intents.reuseIntentBad(Activity), codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Context.startActivity(Intent)] codetoanalyze/java/quandary/Intents.java, void MyActivity.onActivityResult(int,int,Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyActivity.onActivityResult(int,int,Intent),call to ComponentName ContextWrapper.startService(Intent)] codetoanalyze/java/quandary/Intents.java, void MyActivity.onNewIntent(Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyActivity.onNewIntent(Intent),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, void MyBroadcastReceiver.onReceive(Context,Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyBroadcastReceiver.onReceive(Context,Intent),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, void MyService.onRebind(Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyService.onRebind(Intent),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, void MyService.onStart(Intent,int), 1, QUANDARY_TAINT_ERROR, [return from void MyService.onStart(Intent,int),call to ComponentName ContextWrapper.startService(Intent)] +codetoanalyze/java/quandary/Intents.java, void MyService.onTaskRemoved(Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyService.onTaskRemoved(Intent),call to ComponentName ContextWrapper.startService(Intent)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSinkInterprocedural(Object), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSourceAndSinkInterprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),return from Object Interprocedural.returnSourceIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]