[quandary] Separate insecure intent handling issue type when call is in an exposed class

Reviewed By: AmarBhosale Differential Revision: D13465395 fbshipit-source-id: ad0ed5b17
6 years ago · a130556869
parent 2d2d861686
commit a130556869
3 changed files with 7 additions and 1 deletions
--- a/infer/src/base/IssueType.ml
+++ b/infer/src/base/IssueType.ml
@ -252,6 +252,8 @@ let eradicate_value_not_present =

 let expensive_execution_time_call = from_string ~enabled:false "EXPENSIVE_EXECUTION_TIME_CALL"

+let exposed_insecure_intent_handling = from_string "EXPOSED_INSECURE_INTENT_HANDLING"
+
 let failure_exe = from_string "Failure_exe"

 let nullsafe_field_not_nullable =
--- a/infer/src/base/IssueType.mli
+++ b/infer/src/base/IssueType.mli
@ -165,6 +165,8 @@ val eradicate_value_not_present : t

 val expensive_execution_time_call : t

+val exposed_insecure_intent_handling : t
+
 val failure_exe : t

 val nullsafe_field_not_nullable : t
--- a/infer/src/quandary/JavaTrace.ml
+++ b/infer/src/quandary/JavaTrace.ml
@ -606,7 +606,9 @@ include Trace.Make (struct
    | DrawableResource _, OpenDrawableResource ->
        (* not a security issue, but useful for debugging flows from resource IDs to inflation *)
        Some IssueType.quandary_taint_error
-    | IntentForInsecureIntentHandling _, StartComponentForInsecureIntentHandling ->
+    | IntentForInsecureIntentHandling {exposed= true}, StartComponentForInsecureIntentHandling ->
+        Some IssueType.exposed_insecure_intent_handling
+    | IntentForInsecureIntentHandling {exposed= false}, StartComponentForInsecureIntentHandling ->
        Some IssueType.insecure_intent_handling
    | IntentFromURI, StartComponent ->
        (* create an intent/start a component using a (possibly user-controlled) URI. may or may not