[quandary] Separate insecure intent handling issue type when call is in an exposed class

Reviewed By: AmarBhosale

Differential Revision: D13465395

fbshipit-source-id: ad0ed5b17
master
Mehdi Bouaziz 6 years ago committed by Facebook Github Bot
parent 2d2d861686
commit a130556869

@ -252,6 +252,8 @@ let eradicate_value_not_present =
let expensive_execution_time_call = from_string ~enabled:false "EXPENSIVE_EXECUTION_TIME_CALL" let expensive_execution_time_call = from_string ~enabled:false "EXPENSIVE_EXECUTION_TIME_CALL"
let exposed_insecure_intent_handling = from_string "EXPOSED_INSECURE_INTENT_HANDLING"
let failure_exe = from_string "Failure_exe" let failure_exe = from_string "Failure_exe"
let nullsafe_field_not_nullable = let nullsafe_field_not_nullable =

@ -165,6 +165,8 @@ val eradicate_value_not_present : t
val expensive_execution_time_call : t val expensive_execution_time_call : t
val exposed_insecure_intent_handling : t
val failure_exe : t val failure_exe : t
val nullsafe_field_not_nullable : t val nullsafe_field_not_nullable : t

@ -606,7 +606,9 @@ include Trace.Make (struct
| DrawableResource _, OpenDrawableResource -> | DrawableResource _, OpenDrawableResource ->
(* not a security issue, but useful for debugging flows from resource IDs to inflation *) (* not a security issue, but useful for debugging flows from resource IDs to inflation *)
Some IssueType.quandary_taint_error Some IssueType.quandary_taint_error
| IntentForInsecureIntentHandling _, StartComponentForInsecureIntentHandling -> | IntentForInsecureIntentHandling {exposed= true}, StartComponentForInsecureIntentHandling ->
Some IssueType.exposed_insecure_intent_handling
| IntentForInsecureIntentHandling {exposed= false}, StartComponentForInsecureIntentHandling ->
Some IssueType.insecure_intent_handling Some IssueType.insecure_intent_handling
| IntentFromURI, StartComponent -> | IntentFromURI, StartComponent ->
(* create an intent/start a component using a (possibly user-controlled) URI. may or may not (* create an intent/start a component using a (possibly user-controlled) URI. may or may not

Loading…
Cancel
Save