From 52dbd129cd23932e545807d82cc57e1f4af64dc9 Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Tue, 4 Apr 2017 15:13:21 -0700 Subject: [PATCH] [quandary] don't complain about transferring extras between intents Reviewed By: AmarBhosale Differential Revision: D4806571 fbshipit-source-id: cf138e9 --- infer/src/quandary/JavaTaintAnalysis.ml | 4 ++++ .../codetoanalyze/java/quandary/Intents.java | 22 +++++++++++++++++++ .../codetoanalyze/java/quandary/issues.exp | 2 ++ 3 files changed, 28 insertions(+) diff --git a/infer/src/quandary/JavaTaintAnalysis.ml b/infer/src/quandary/JavaTaintAnalysis.ml index e4c6f3565..422d5a614 100644 --- a/infer/src/quandary/JavaTaintAnalysis.ml +++ b/infer/src/quandary/JavaTaintAnalysis.ml @@ -39,6 +39,10 @@ include match Typ.Procname.java_get_class_name java_pname, Typ.Procname.java_get_method java_pname, ret_typ_opt with + | "android.content.Intent", ("putExtra" | "putExtras"), _ -> + (* don't care about tainted extras. instead. we'll check that result of getExtra is + always used safely *) + [] | _ when Typ.Procname.is_constructor pname -> [TaintSpec.Propagate_to_receiver] | _, _, (Some Typ.Tvoid | None) when not is_static -> diff --git a/infer/tests/codetoanalyze/java/quandary/Intents.java b/infer/tests/codetoanalyze/java/quandary/Intents.java index c4bceec03..53c7490b9 100644 --- a/infer/tests/codetoanalyze/java/quandary/Intents.java +++ b/infer/tests/codetoanalyze/java/quandary/Intents.java @@ -102,4 +102,26 @@ public class Intents { activity.startActivity(activity.getIntent()); } + Activity mActivity; + + void extraToDataBad() { + Intent taintedIntent = (Intent) InferTaint.inferSecretSource(); + String extra = taintedIntent.getStringExtra("foo"); + + Intent newIntent1 = new Intent(); + mActivity.startActivity(newIntent1.setData(Uri.parse(extra))); // should report + Intent newIntent2 = new Intent(); + newIntent2.setData(Uri.parse(extra)); + mActivity.startActivity(newIntent2); // should report + } + + void extraToExtraOk() { + Intent taintedIntent = (Intent) InferTaint.inferSecretSource(); + String extra = taintedIntent.getStringExtra("foo"); + + Intent newIntent = new Intent(); + newIntent.putExtra("foo", extra); + mActivity.startActivity(newIntent); + } + } diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 1db5d2bbc..97e67d475 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -86,6 +86,8 @@ codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinks(), 10, codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinks(), 11, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setDataAndType(Uri,String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinks(), 12, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setDataAndTypeAndNormalize(Uri,String)] codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinks(), 13, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setPackage(String)] +codetoanalyze/java/quandary/Intents.java, void Intents.extraToDataBad(), 5, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setData(Uri)] +codetoanalyze/java/quandary/Intents.java, void Intents.extraToDataBad(), 7, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setData(Uri)] codetoanalyze/java/quandary/Intents.java, void Intents.reuseIntentBad(Activity), 1, QUANDARY_TAINT_ERROR, [return from Intent Activity.getIntent(),call to void Activity.startActivity(Intent)] codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Context.startActivity(Intent)] codetoanalyze/java/quandary/Intents.java, void MyActivity.onActivityResult(int,int,Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyActivity.onActivityResult(int,int,Intent),call to ComponentName ContextWrapper.startService(Intent)]