[quandary] EditText.getText() as source

Differential Revision: D5797834 fbshipit-source-id: 70760cb
7 years ago · 5ff6e2c786
parent f7258c2ab4
commit 5ff6e2c786
3 changed files with 29 additions and 20 deletions
--- a/infer/src/quandary/JavaTrace.ml
+++ b/infer/src/quandary/JavaTrace.ml
@ -13,22 +13,22 @@ module L = Logging

 module SourceKind = struct
  type t =
-    | Clipboard  (** data read from the clipboard service *)
    | Intent  (** external Intent or a value read from one *)
    | Other  (** for testing or uncategorized sources *)
    | PrivateData  (** private user or device-specific data *)
-    | UserControlledURI  (** resource locator controller by user *)
+    | UserControlledString  (** data read from a text box or the clipboard service *)
+    | UserControlledURI  (** resource locator from the browser bar *)
    [@@deriving compare]

  let of_string = function
-    | "Clipboard"
-     -> Clipboard
    | "Intent"
     -> Intent
    | "PrivateData"
     -> PrivateData
    | "UserControlledURI"
     -> UserControlledURI
+    | "UserControlledString"
+     -> UserControlledString
    | _
     -> Other

@ -62,7 +62,9 @@ module SourceKind = struct
             -> Some (PrivateData, return)
            | ( ("android.content.ClipboardManager" | "android.text.ClipboardManager")
              , ("getPrimaryClip" | "getText") )
-             -> Some (Clipboard, return)
+             -> Some (UserControlledString, return)
+            | "android.widget.EditText", "getText"
+             -> Some (UserControlledString, return)
            | _
             -> None
          in
@ -154,16 +156,16 @@ module SourceKind = struct
  let pp fmt kind =
    F.fprintf fmt
      ( match kind with
-      | Clipboard
-       -> "Clipboard"
      | Intent
       -> "Intent"
-      | UserControlledURI
-       -> "UserControlledURI"
+      | Other
+       -> "Other"
      | PrivateData
       -> "PrivateData"
-      | Other
-       -> "Other" )
+      | UserControlledString
+       -> "UserControlledString"
+      | UserControlledURI
+       -> "UserControlledURI" )
 end

 module JavaSource = Source.Make (SourceKind)
@ -327,8 +329,8 @@ include Trace.Make (struct
    (* create intent/launch component from user-controlled URI *)
    | UserControlledURI, CreateFile
    (* create file from user-controller URI; potential path-traversal vulnerability *)
-    | Clipboard, (StartComponent | CreateIntent | JavaScript | CreateFile | HTML)
-     -> (* do something sensitive with user-controlled data from the clipboard *)
+    | UserControlledString, (StartComponent | CreateIntent | JavaScript | CreateFile | HTML)
+     -> (* do something sensitive with a user-controlled string *)
        true
    | Other, _ | _, Other
     -> (* for testing purposes, Other matches everything *)
--- a/infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java
+++ b/infer/tests/codetoanalyze/java/quandary/UserControlledStrings.java
@ -13,10 +13,11 @@ import android.app.Activity;
 import android.content.ClipboardManager;
 import android.text.Html;
 import android.text.Spanned;
+import android.widget.EditText;

 import com.facebook.infer.builtins.InferTaint;

-public class Clipboard {
+public class UserControlledStrings {
  ClipboardManager clipboard;

  void readClipboardSourcesBad() {
@ -32,4 +33,9 @@ public class Clipboard {
    return Html.fromHtml(clipboard.getText().toString());
  }

+  EditText mEditText;
+  Spanned editTextToHtmlBad() {
+    return Html.fromHtml(mEditText.getText().toString());
+  }
+
 }
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@ -25,12 +25,6 @@ codetoanalyze/java/quandary/Basics.java, void Basics.viaVarBad2(), 3, QUANDARY_T
 codetoanalyze/java/quandary/Basics.java, void Basics.viaVarBad3(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Basics.java, void Basics.whileBad1(int), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Basics.java, void Basics.whileBad2(int), 6, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Clipboard.java, Spanned Clipboard.clipboardToHtmlBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String)]
-codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 2, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 4, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
-codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 5, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/ContentProviders.java, AssetFileDescriptor ContentProviders.openAssetFile(Uri,String,CancellationSignal), 1, QUANDARY_TAINT_ERROR, [Return from AssetFileDescriptor ContentProviders.openAssetFile(Uri,String,CancellationSignal),Call to File.<init>(String)]
 codetoanalyze/java/quandary/ContentProviders.java, AssetFileDescriptor ContentProviders.openTypedAssetFile(Uri,String,Bundle,CancellationSignal), 2, QUANDARY_TAINT_ERROR, [Return from AssetFileDescriptor ContentProviders.openTypedAssetFile(Uri,String,Bundle,CancellationSignal),Call to File.<init>(String)]
 codetoanalyze/java/quandary/ContentProviders.java, Bundle ContentProviders.call(String,String,Bundle), 1, QUANDARY_TAINT_ERROR, [Return from Bundle ContentProviders.call(String,String,Bundle),Call to File.<init>(String)]
@ -224,6 +218,13 @@ codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaInter
 codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownAbstractCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownNativeCodeBad(), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.clipboardToHtmlBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String)]
+codetoanalyze/java/quandary/UserControlledStrings.java, Spanned UserControlledStrings.editTextToHtmlBad(), 1, QUANDARY_TAINT_ERROR, [Return from Editable EditText.getText(),Call to Spanned Html.fromHtml(String)]
+codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 2, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 4, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 5, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/WebViews.java, WebResourceResponse WebViews$MyWebViewClient.shouldInterceptRequest(WebView,WebResourceRequest), 1, QUANDARY_TAINT_ERROR, [Return from WebResourceResponse WebViews$MyWebViewClient.shouldInterceptRequest(WebView,WebResourceRequest),Call to void Activity.startActivity(Intent)]
 codetoanalyze/java/quandary/WebViews.java, boolean WebViews$MyWebChromeClient.onJsAlert(WebView,String,String,JsResult), 2, QUANDARY_TAINT_ERROR, [Return from boolean WebViews$MyWebChromeClient.onJsAlert(WebView,String,String,JsResult),Call to Intent Intent.parseUri(String,int)]
 codetoanalyze/java/quandary/WebViews.java, boolean WebViews$MyWebChromeClient.onJsBeforeUnload(WebView,String,String,JsResult), 2, QUANDARY_TAINT_ERROR, [Return from boolean WebViews$MyWebChromeClient.onJsBeforeUnload(WebView,String,String,JsResult),Call to Intent Intent.parseUri(String,int)]