From 37ab9ec3917d27ad9ca8555c08ed939dab7b915b Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Wed, 31 Jan 2018 14:46:19 -0800 Subject: [PATCH] [quandary] ProcessBuilder as sink Summary: Another common API for shelling out in Java. Reviewed By: oebeling Differential Revision: D6814616 fbshipit-source-id: ba815b5 --- infer/src/quandary/JavaTaintAnalysis.ml | 5 +++-- infer/src/quandary/JavaTrace.ml | 4 ++++ .../java/quandary/UserControlledStrings.java | 20 +++++++++++++++++++ .../codetoanalyze/java/quandary/issues.exp | 4 ++++ 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/infer/src/quandary/JavaTaintAnalysis.ml b/infer/src/quandary/JavaTaintAnalysis.ml index e7215e928..066f25375 100644 --- a/infer/src/quandary/JavaTaintAnalysis.ml +++ b/infer/src/quandary/JavaTaintAnalysis.ml @@ -55,8 +55,9 @@ include TaintAnalysis.Make (struct [] | _ when Typ.Procname.is_constructor pname -> [TaintSpec.Propagate_to_receiver] - | _, _, (Some {Typ.desc= Tvoid} | None) when not is_static -> - (* for instance methods with no return value, propagate the taint to the receiver *) + | _, _, (Some {Typ.desc= Tvoid | Tint _ | Tfloat _} | None) when not is_static -> + (* for instance methods with a non-Object return value, propagate the taint to the + receiver *) [TaintSpec.Propagate_to_receiver] | classname, _, Some {Typ.desc= Tptr _ | Tstruct _} -> ( match actuals with diff --git a/infer/src/quandary/JavaTrace.ml b/infer/src/quandary/JavaTrace.ml index 4925ca964..1f183afb4 100644 --- a/infer/src/quandary/JavaTrace.ml +++ b/infer/src/quandary/JavaTrace.ml @@ -344,6 +344,10 @@ module SinkKind = struct taint_all Deserialization | "com.facebook.infer.builtins.InferTaint", "inferSensitiveSink" -> taint_nth 0 Other + | "java.lang.ProcessBuilder", "" -> + taint_all ShellExec + | "java.lang.ProcessBuilder", "command" -> + taint_all ShellExec | class_name, method_name -> let taint_matching_supertype typename = match (Typ.Name.name typename, method_name) with diff --git a/infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java b/infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java index e8f13cd4d..e4c73b4a2 100644 --- a/infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java +++ b/infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java @@ -15,7 +15,10 @@ import android.text.Html; import android.text.Spanned; import android.widget.EditText; import java.io.IOException; +import java.lang.ProcessBuilder; import java.lang.Runtime; +import java.util.ArrayList; +import java.util.List; import com.facebook.infer.builtins.InferTaint; @@ -49,5 +52,22 @@ public class UserControlledStrings { Runtime.getRuntime().exec(cmds); } + ProcessBuilder clipboardToProcessBuilder1Bad() { + return new ProcessBuilder(clipboard.getText().toString()); + } + + ProcessBuilder clipboardToProcessBuilder2Bad() { + return new ProcessBuilder("sh", clipboard.getText().toString()); + } + + ProcessBuilder clipboardToProcessBuilder3Bad(ProcessBuilder builder) { + return builder.command(clipboard.getText().toString()); + } + + ProcessBuilder clipboardToProcessBuilder4Bad(ProcessBuilder builder) { + List cmds = new ArrayList(); + cmds.add(clipboard.getText().toString()); + return builder.command(cmds); + } } diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 01482fea7..e7c726998 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -204,6 +204,10 @@ codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaInter codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownAbstractCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownNativeCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0] +codetoanalyze/java/quandary/UserControlledStrings.java, ProcessBuilder UserControlledStrings.clipboardToProcessBuilder1Bad(), 1, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to ProcessBuilder.(java.lang.String[]) with tainted index 1] +codetoanalyze/java/quandary/UserControlledStrings.java, ProcessBuilder UserControlledStrings.clipboardToProcessBuilder2Bad(), 1, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to ProcessBuilder.(java.lang.String[]) with tainted index 1] +codetoanalyze/java/quandary/UserControlledStrings.java, ProcessBuilder UserControlledStrings.clipboardToProcessBuilder3Bad(ProcessBuilder), 1, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to ProcessBuilder ProcessBuilder.command(java.lang.String[]) with tainted index 1] +codetoanalyze/java/quandary/UserControlledStrings.java, ProcessBuilder UserControlledStrings.clipboardToProcessBuilder4Bad(ProcessBuilder), 3, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to ProcessBuilder ProcessBuilder.command(List) with tainted index 1] codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.clipboardToHtmlBad(), 1, CROSS_SITE_SCRIPTING, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String) with tainted index 0] codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.editTextToHtmlBad(), 1, CROSS_SITE_SCRIPTING, [Return from Editable EditText.getText(),Call to Spanned Html.fromHtml(String) with tainted index 0] codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.clipboardToShellArrayBad(), 2, SHELL_INJECTION, [Return from CharSequence ClipboardManager.getText(),Call to Process Runtime.exec(java.lang.String[]) with tainted index 1]