[quandary] `WebResourceRequest.getUrl` as source

Reviewed By: the-st0rm Differential Revision: D7336116 fbshipit-source-id: 5d458e5
7 years ago · 670ae4a673
parent fd6a1e0e2b
commit 670ae4a673
3 changed files with 8 additions and 0 deletions
--- a/infer/src/quandary/JavaTrace.ml
+++ b/infer/src/quandary/JavaTrace.ml
@ -109,6 +109,8 @@ module SourceKind = struct
            | ( ("android.content.ClipboardManager" | "android.text.ClipboardManager")
              , ("getPrimaryClip" | "getText") ) ->
                Some (UserControlledString, return)
+            | "android.webkit.WebResourceRequest", "getUrl" ->
+                Some (UserControlledURI, return)
            | "android.widget.EditText", "getText" ->
                Some (UserControlledString, return)
            | class_name, method_name ->
--- a/infer/tests/codetoanalyze/java/quandary/WebViews.java
+++ b/infer/tests/codetoanalyze/java/quandary/WebViews.java
@ -9,6 +9,7 @@

 package codetoanalyze.java.quandary;

+import java.io.File;
 import java.net.URISyntaxException;

 import android.app.Activity;
@ -67,6 +68,10 @@ public class WebViews {
      return null;
    }

+    File webResourceToFileBad(WebResourceRequest request) {
+      return new File(request.getUrl().getPath());
+    }
+
    @Override
    public boolean shouldOverrideUrlLoading(WebView w, String url) {
      try {
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@ -219,6 +219,7 @@ codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrin
 codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
 codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 4, QUANDARY_TAINT_ERROR, ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
 codetoanalyze/java/quandary/UserControlledStrings.java, void UserControlledStrings.readClipboardSourcesBad(), 5, QUANDARY_TAINT_ERROR, ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object) with tainted index 0]
+codetoanalyze/java/quandary/WebViews.java, File WebViews$MyWebViewClient.webResourceToFileBad(WebResourceRequest), 1, UNTRUSTED_FILE, ERROR, [Return from Uri WebResourceRequest.getUrl(),Call to File.<init>(String) with tainted index 1]
 codetoanalyze/java/quandary/WebViews.java, WebResourceResponse WebViews$MyWebViewClient.shouldInterceptRequest(WebView,WebResourceRequest), 1, CREATE_INTENT_FROM_URI, ERROR, [Return from Intent.<init>(String,Uri),Call to void Activity.startActivity(Intent) with tainted index 1]
 codetoanalyze/java/quandary/WebViews.java, boolean WebViews$MyWebChromeClient.onJsAlert(WebView,String,String,JsResult), 2, UNTRUSTED_INTENT_CREATION, ERROR, [Return from boolean WebViews$MyWebChromeClient.onJsAlert(WebView,String,String,JsResult),Call to Intent Intent.parseUri(String,int) with tainted index 0]
 codetoanalyze/java/quandary/WebViews.java, boolean WebViews$MyWebChromeClient.onJsAlert(WebView,String,String,JsResult), 3, CREATE_INTENT_FROM_URI, ERROR, [Return from Intent Intent.parseUri(String,int),Call to void Activity.startActivity(Intent) with tainted index 1]