diff --git a/infer/src/quandary/JavaTrace.ml b/infer/src/quandary/JavaTrace.ml index 40d824f2e..bfe6f4199 100644 --- a/infer/src/quandary/JavaTrace.ml +++ b/infer/src/quandary/JavaTrace.ml @@ -45,12 +45,25 @@ module SourceKind = struct (QuandaryConfig.Source.of_json Config.quandary_sources) + let actual_has_type n type_string actuals tenv = + let is_typ typename _ = String.equal (Typ.Name.name typename) type_string in + match List.nth actuals n with + | Some actual -> ( + match HilExp.get_typ tenv actual with + | Some {desc= Tptr ({desc= Tstruct typename}, _)} -> + PatternMatch.supertype_exists tenv is_typ typename + | _ -> + false ) + | None -> + false + + let get pname actuals tenv = let return = None in match pname with | Typ.Procname.Java pname -> ( match (Typ.Procname.java_get_class_name pname, Typ.Procname.java_get_method pname) with - | "android.content.Intent", "" when List.length actuals > 2 -> + | "android.content.Intent", "" when actual_has_type 2 "android.net.Uri" actuals tenv -> (* taint the [this] parameter passed to the constructor *) Some (IntentFromURI, Some 0) | ( "android.content.Intent" diff --git a/infer/tests/codetoanalyze/java/quandary/Intents.java b/infer/tests/codetoanalyze/java/quandary/Intents.java index c8467ccdf..1b721d0e4 100644 --- a/infer/tests/codetoanalyze/java/quandary/Intents.java +++ b/infer/tests/codetoanalyze/java/quandary/Intents.java @@ -227,4 +227,16 @@ public class Intents { return true; } + void startWithClassLiteralOk() { + mActivity.startActivity(new Intent(mActivity, MyActivity.class)); + } + + void startWithUri1Bad(Uri uri) { + mActivity.startActivity(new Intent("action", uri)); + } + + void startWithUri2Bad(Uri uri) { + mActivity.startActivity(new Intent("action", uri, mActivity, MyActivity.class)); + } + } diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 74ac7cb34..fcc6e208d 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -96,6 +96,8 @@ codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinks(), 12, codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinks(), 13, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to Intent Intent.setPackage(String)] codetoanalyze/java/quandary/Intents.java, void Intents.extraToDataBad(), 5, UNTRUSTED_INTENT_CREATION, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri)] codetoanalyze/java/quandary/Intents.java, void Intents.extraToDataBad(), 7, UNTRUSTED_INTENT_CREATION, [Return from String Intent.getStringExtra(String),Call to Intent Intent.setData(Uri)] +codetoanalyze/java/quandary/Intents.java, void Intents.startWithUri1Bad(Uri), 1, CREATE_INTENT_FROM_URI, [Return from Intent.(String,Uri),Call to void Activity.startActivity(Intent)] +codetoanalyze/java/quandary/Intents.java, void Intents.startWithUri2Bad(Uri), 1, CREATE_INTENT_FROM_URI, [Return from Intent.(String,Uri,Context,Class),Call to void Activity.startActivity(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void Context.startActivity(Intent)] codetoanalyze/java/quandary/Intents.java, void MyActivity.startServiceWithTaintedIntent(), 2, CREATE_INTENT_FROM_URI, [Return from Intent.(String,Uri),Call to ComponentName ContextWrapper.startService(Intent)] codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]