[quandary] only Intents created from Uris should be sources

Reviewed By: jeremydubreil Differential Revision: D6560709 fbshipit-source-id: bc2b5d3
7 years ago · 41129087e4
parent 32675a7b02
commit 41129087e4
3 changed files with 28 additions and 1 deletions
--- a/infer/src/quandary/JavaTrace.ml
+++ b/infer/src/quandary/JavaTrace.ml
@ -45,12 +45,25 @@ module SourceKind = struct
      (QuandaryConfig.Source.of_json Config.quandary_sources)


+  let actual_has_type n type_string actuals tenv =
+    let is_typ typename _ = String.equal (Typ.Name.name typename) type_string in
+    match List.nth actuals n with
+    | Some actual -> (
+      match HilExp.get_typ tenv actual with
+      | Some {desc= Tptr ({desc= Tstruct typename}, _)} ->
+          PatternMatch.supertype_exists tenv is_typ typename
+      | _ ->
+          false )
+    | None ->
+        false
+
+
  let get pname actuals tenv =
    let return = None in
    match pname with
    | Typ.Procname.Java pname -> (
      match (Typ.Procname.java_get_class_name pname, Typ.Procname.java_get_method pname) with
-      | "android.content.Intent", "<init>" when List.length actuals > 2 ->
+      | "android.content.Intent", "<init>" when actual_has_type 2 "android.net.Uri" actuals tenv ->
          (* taint the [this] parameter passed to the constructor *)
          Some (IntentFromURI, Some 0)
      | ( "android.content.Intent"
--- a/infer/tests/codetoanalyze/java/quandary/Intents.java
+++ b/infer/tests/codetoanalyze/java/quandary/Intents.java
@ -227,4 +227,16 @@ public class Intents {
    return true;
  }

+  void startWithClassLiteralOk() {
+    mActivity.startActivity(new Intent(mActivity, MyActivity.class));
+  }
+
+  void startWithUri1Bad(Uri uri) {
+    mActivity.startActivity(new Intent("action", uri));
+  }
+
+  void startWithUri2Bad(Uri uri) {
+    mActivity.startActivity(new Intent("action", uri, mActivity, MyActivity.class));
+  }
+
 }
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@ -96,6 +96,8 @@ codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinks(), 12,
 codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinks(), 13, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setPackage(String)]
 codetoanalyze/java/quandary/Intents.java, void Intents.extraToDataBad(), 5, UNTRUSTED_INTENT_CREATION, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri)]
 codetoanalyze/java/quandary/Intents.java, void Intents.extraToDataBad(), 7, UNTRUSTED_INTENT_CREATION, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri)]
+codetoanalyze/java/quandary/Intents.java, void Intents.startWithUri1Bad(Uri), 1, CREATE_INTENT_FROM_URI, [Return from Intent.<init>(String,Uri),Call to void Activity.startActivity(Intent)]
+codetoanalyze/java/quandary/Intents.java, void Intents.startWithUri2Bad(Uri), 1, CREATE_INTENT_FROM_URI, [Return from Intent.<init>(String,Uri,Context,Class),Call to void Activity.startActivity(Intent)]
 codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Context.startActivity(Intent)]
 codetoanalyze/java/quandary/Intents.java, void MyActivity.startServiceWithTaintedIntent(), 2, CREATE_INTENT_FROM_URI, [Return from Intent.<init>(String,Uri),Call to ComponentName ContextWrapper.startService(Intent)]
 codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]