diff --git a/infer/src/quandary/JavaTrace.ml b/infer/src/quandary/JavaTrace.ml index 8b94377fe..c1ea659f4 100644 --- a/infer/src/quandary/JavaTrace.ml +++ b/infer/src/quandary/JavaTrace.ml @@ -13,22 +13,22 @@ module L = Logging module SourceKind = struct type t = - | Clipboard (** data read from the clipboard service *) | Intent (** external Intent or a value read from one *) | Other (** for testing or uncategorized sources *) | PrivateData (** private user or device-specific data *) - | UserControlledURI (** resource locator controller by user *) + | UserControlledString (** data read from a text box or the clipboard service *) + | UserControlledURI (** resource locator from the browser bar *) [@@deriving compare] let of_string = function - | "Clipboard" - -> Clipboard | "Intent" -> Intent | "PrivateData" -> PrivateData | "UserControlledURI" -> UserControlledURI + | "UserControlledString" + -> UserControlledString | _ -> Other @@ -62,7 +62,9 @@ module SourceKind = struct -> Some (PrivateData, return) | ( ("android.content.ClipboardManager" | "android.text.ClipboardManager") , ("getPrimaryClip" | "getText") ) - -> Some (Clipboard, return) + -> Some (UserControlledString, return) + | "android.widget.EditText", "getText" + -> Some (UserControlledString, return) | _ -> None in @@ -154,16 +156,16 @@ module SourceKind = struct let pp fmt kind = F.fprintf fmt ( match kind with - | Clipboard - -> "Clipboard" | Intent -> "Intent" - | UserControlledURI - -> "UserControlledURI" + | Other + -> "Other" | PrivateData -> "PrivateData" - | Other - -> "Other" ) + | UserControlledString + -> "UserControlledString" + | UserControlledURI + -> "UserControlledURI" ) end module JavaSource = Source.Make (SourceKind) @@ -327,8 +329,8 @@ include Trace.Make (struct (* create intent/launch component from user-controlled URI *) | UserControlledURI, CreateFile (* create file from user-controller URI; potential path-traversal vulnerability *) - | Clipboard, (StartComponent | CreateIntent | JavaScript | CreateFile | HTML) - -> (* do something sensitive with user-controlled data from the clipboard *) + | UserControlledString, (StartComponent | CreateIntent | JavaScript | CreateFile | HTML) + -> (* do something sensitive with a user-controlled string *) true | Other, _ | _, Other -> (* for testing purposes, Other matches everything *) diff --git a/infer/tests/codetoanalyze/java/quandary/Clipboard.java b/infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java similarity index 85% rename from infer/tests/codetoanalyze/java/quandary/Clipboard.java rename to infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java index accfb6a1c..28a95c224 100644 --- a/infer/tests/codetoanalyze/java/quandary/Clipboard.java +++ b/infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java @@ -13,10 +13,11 @@ import android.app.Activity; import android.content.ClipboardManager; import android.text.Html; import android.text.Spanned; +import android.widget.EditText; import com.facebook.infer.builtins.InferTaint; -public class Clipboard { +public class UserControlledStrings { ClipboardManager clipboard; void readClipboardSourcesBad() { @@ -32,4 +33,9 @@ public class Clipboard { return Html.fromHtml(clipboard.getText().toString()); } + EditText mEditText; + Spanned editTextToHtmlBad() { + return Html.fromHtml(mEditText.getText().toString()); + } + } diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 2fba42304..059275997 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -25,12 +25,6 @@ codetoanalyze/java/quandary/Basics.java, void Basics.viaVarBad2(), 3, QUANDARY_T codetoanalyze/java/quandary/Basics.java, void Basics.viaVarBad3(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Basics.java, void Basics.whileBad1(int), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Basics.java, void Basics.whileBad2(int), 6, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Clipboard.java, Spanned Clipboard.clipboardToHtmlBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String)] -codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 2, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 4, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 5, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/ContentProviders.java, AssetFileDescriptor ContentProviders.openAssetFile(Uri,String,CancellationSignal), 1, QUANDARY_TAINT_ERROR, [Return from AssetFileDescriptor ContentProviders.openAssetFile(Uri,String,CancellationSignal),Call to File.(String)] codetoanalyze/java/quandary/ContentProviders.java, AssetFileDescriptor ContentProviders.openTypedAssetFile(Uri,String,Bundle,CancellationSignal), 2, QUANDARY_TAINT_ERROR, [Return from AssetFileDescriptor ContentProviders.openTypedAssetFile(Uri,String,Bundle,CancellationSignal),Call to File.(String)] codetoanalyze/java/quandary/ContentProviders.java, Bundle ContentProviders.call(String,String,Bundle), 1, QUANDARY_TAINT_ERROR, [Return from Bundle ContentProviders.call(String,String,Bundle),Call to File.(String)] @@ -224,6 +218,13 @@ codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaInter codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownAbstractCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownNativeCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.clipboardToHtmlBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String)] +codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.editTextToHtmlBad(), 1, QUANDARY_TAINT_ERROR, [Return from Editable EditText.getText(),Call to Spanned Html.fromHtml(String)] +codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 2, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 4, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 5, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/WebViews.java, WebResourceResponse WebViews$MyWebViewClient.shouldInterceptRequest(WebView,WebResourceRequest), 1, QUANDARY_TAINT_ERROR, [Return from WebResourceResponse WebViews$MyWebViewClient.shouldInterceptRequest(WebView,WebResourceRequest),Call to void Activity.startActivity(Intent)] codetoanalyze/java/quandary/WebViews.java, boolean WebViews$MyWebChromeClient.onJsAlert(WebView,String,String,JsResult), 2, QUANDARY_TAINT_ERROR, [Return from boolean WebViews$MyWebChromeClient.onJsAlert(WebView,String,String,JsResult),Call to Intent Intent.parseUri(String,int)] codetoanalyze/java/quandary/WebViews.java, boolean WebViews$MyWebChromeClient.onJsBeforeUnload(WebView,String,String,JsResult), 2, QUANDARY_TAINT_ERROR, [Return from boolean WebViews$MyWebChromeClient.onJsBeforeUnload(WebView,String,String,JsResult),Call to Intent Intent.parseUri(String,int)]