[quandary] making it easier to specify behavior for unknown functions

Summary:
In Java, we handle unknown code by propagating behavior from the parameters of the unknown function call to the return value (or constructed object, in the case of a constructor). But we do this in a somewhat silly way--generating a new summary with these semantics at each unknown call site. Instead, this diff introduces these two options as predefined behaviors and adds specialized code for them.

As a side effect of this approach, unknown functions are no longer counted as passthroughs. This is ok; the original behavior was less of a reasoned decision and more of an unintended consequence of the way we decided to handle unknown code.

This new approach ought to be more efficient than the old one, and as a virtuous side effect it will be easier to specify how to handle unknown code in other languages like C++.

Reviewed By: jeremydubreil

Differential Revision: D4205624

fbshipit-source-id: bf97445
master
Sam Blackshear 8 years ago committed by Facebook Github Bot
parent b6b7593cf6
commit ad5ff00dcd

@ -22,6 +22,6 @@ include
| QuandarySummary.Cpp trace -> trace
| _ -> assert false
let handle_unknown_call _ _ _ =
let handle_unknown_call _ _ =
[]
end)

@ -22,76 +22,21 @@ include
| QuandarySummary.Java trace -> trace
| _ -> assert false
let make_nth_param_ap n pname ~propagate_all =
let raw_ap =
(* base of this access path is always ignored, so type/name don't matter *)
AccessPath.of_pvar
(Pvar.mk (Mangled.from_string ("fake_param" ^ string_of_int n)) pname) Typ.Tvoid in
if propagate_all then AccessPath.Abstracted raw_ap else AccessPath.Exact raw_ap
(* propagate the trace from the nth parameter of [site.pname] to the return value of
[site.pname]. if [propagate_all] is true, all traces reachable from the parameter will
be propagated as well (e.g., for foo(x), we'll also propagate the traces associated with x.f,
x.f.g, and so on) *)
let propagate_nth_to_return n site ret_typ ~propagate_all =
let pname = CallSite.pname site in
let nth_param_ap = make_nth_param_ap n pname ~propagate_all in
let input = QuandarySummary.make_formal_input n nth_param_ap in
let output =
QuandarySummary.make_return_output
(AccessPath.Exact (AccessPath.of_pvar (Pvar.get_ret_pvar pname) ret_typ)) in
let footprint_source = Trace.Source.make_footprint nth_param_ap site in
let footprint_trace = Trace.of_source footprint_source in
QuandarySummary.make_in_out_summary input output (to_summary_trace footprint_trace)
(* propagate the trace associated with non-receiver actual to the receiver actual. also useful
for propagating taint from constructor actuals to the constructed object (which, like the
receiver, is also the first argument) *)
let propagate_to_receiver site actuals ~propagate_all =
match actuals with
| [] ->
failwithf
"Constructor %a has 0 actuals, which should never happen"
Procname.pp (CallSite.pname site)
| _ :: [] ->
(* constructor has no actuals, nothing to propagate *)
[]
| _ :: actuals ->
let pname = CallSite.pname site in
let constructor_ap = make_nth_param_ap 0 pname ~propagate_all in
let output = QuandarySummary.make_formal_output 0 constructor_ap in
let make_propagation_summary acc n _ =
let n = n + 1 in (* skip the constructor actual *)
let nth_param_ap = make_nth_param_ap n pname ~propagate_all in
let input = QuandarySummary.make_formal_input n nth_param_ap in
let footprint_source = Trace.Source.make_footprint nth_param_ap site in
let footprint_trace = Trace.of_source footprint_source in
let summary =
QuandarySummary.make_in_out_summary input output (to_summary_trace footprint_trace) in
summary :: acc in
IList.fold_lefti make_propagation_summary [] actuals
let propagate_actuals_to_return site ret_type actuals ~propagate_all =
IList.mapi
(fun actual_num _-> propagate_nth_to_return actual_num site ret_type ~propagate_all)
actuals
let handle_unknown_call site ret_typ_opt actuals =
match CallSite.pname site with
let handle_unknown_call pname ret_typ_opt =
match pname with
| (Procname.Java java_pname) as pname ->
begin
match Procname.java_get_class_name java_pname,
Procname.java_get_method java_pname,
ret_typ_opt with
| _ when Procname.is_constructor pname ->
propagate_to_receiver site actuals ~propagate_all:true
[TaintSpec.Propagate_to_receiver]
| ("java.lang.StringBuffer" | "java.lang.StringBuilder" | "java.util.Formatter"), _,
Some ret_typ
Some _
when not (Procname.java_is_static pname) ->
(propagate_actuals_to_return site ret_typ actuals ~propagate_all:true) @
(propagate_to_receiver site actuals ~propagate_all:true)
| _, _, Some ret_typ ->
propagate_actuals_to_return site ret_typ actuals ~propagate_all:true
[TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return]
| _, _, Some _ ->
[TaintSpec.Propagate_to_return]
| _ ->
[]
end

@ -29,9 +29,9 @@ module Summary = Summary.Make(struct
summary_opt
end)
module Make (TaintSpec : TaintSpec.S) = struct
module Make (TaintSpecification : TaintSpec.S) = struct
module TraceDomain = TaintSpec.Trace
module TraceDomain = TaintSpecification.Trace
module TaintDomain = AccessTree.Make (TraceDomain)
module IdMapDomain = IdAccessPathMapDomain
@ -118,11 +118,15 @@ module Make (TaintSpec : TaintSpec.S) = struct
| None -> TraceDomain.initial
(* get the node associated with [exp] in [access_tree] *)
let exp_get_node exp typ { Domain.access_tree; id_map; } proc_data loc =
let exp_get_node ?(abstracted=false) exp typ { Domain.access_tree; id_map; } proc_data loc =
let f_resolve_id = resolve_id id_map in
match AccessPath.of_lhs_exp exp typ ~f_resolve_id with
| Some access_path ->
access_path_get_node (AccessPath.Exact access_path) access_tree proc_data loc
| Some raw_access_path ->
let access_path =
if abstracted
then AccessPath.Abstracted raw_access_path
else AccessPath.Exact raw_access_path in
access_path_get_node access_path access_tree proc_data loc
| None ->
(* can't make an access path from [exp] *)
None
@ -155,7 +159,7 @@ module Make (TaintSpec : TaintSpec.S) = struct
match Summary.read_summary proc_data.tenv proc_data.pdesc pname with
| Some summary ->
let join_output_trace acc { QuandarySummary.output_trace; } =
TraceDomain.join (TaintSpec.of_summary_trace output_trace) acc in
TraceDomain.join (TaintSpecification.of_summary_trace output_trace) acc in
IList.fold_left join_output_trace TraceDomain.initial summary
| None ->
TraceDomain.initial in
@ -295,7 +299,7 @@ module Make (TaintSpec : TaintSpec.S) = struct
Some (global_ap, global_trace) in
match caller_ap_trace_opt with
| Some (caller_ap, caller_trace) ->
let output_trace = TaintSpec.of_summary_trace in_out_summary.output_trace in
let output_trace = TaintSpecification.of_summary_trace in_out_summary.output_trace in
let appended_trace = TraceDomain.append in_trace output_trace callee_site in
let joined_trace = TraceDomain.join caller_trace appended_trace in
let filtered_trace = report_and_filter_trace joined_trace callee_site proc_data in
@ -365,6 +369,45 @@ module Make (TaintSpec : TaintSpec.S) = struct
astate
| Sil.Call (ret, Const (Cfun called_pname), actuals, callee_loc, call_flags) ->
let handle_unknown_call callee_pname astate =
let exp_join_traces trace_acc (exp, typ) =
match exp_get_node ~abstracted:true exp typ astate proc_data callee_loc with
| Some (trace, _) -> TraceDomain.join trace trace_acc
| None -> trace_acc in
let propagate_to_access_path access_path actuals (astate : Domain.astate) =
let trace_with_propagation =
IList.fold_left exp_join_traces TraceDomain.initial actuals in
let access_tree =
TaintDomain.add_trace access_path trace_with_propagation astate.access_tree in
{ astate with access_tree; } in
let handle_unknown_call_ astate_acc propagation =
match propagation, actuals, ret with
| _, [], _ ->
astate_acc
| TaintSpec.Propagate_to_return, actuals, Some (ret_id, ret_typ) ->
let ret_ap = AccessPath.Exact (AccessPath.of_id ret_id ret_typ) in
propagate_to_access_path ret_ap actuals astate_acc
| TaintSpec.Propagate_to_receiver,
(receiver_exp, receiver_typ) :: (_ :: _ as other_actuals),
_ ->
let receiver_ap =
match AccessPath.of_lhs_exp receiver_exp receiver_typ ~f_resolve_id with
| Some ap ->
AccessPath.Exact ap
| None ->
failwithf
"Receiver for called procedure %a does not have an access path"
Procname.pp
callee_pname in
propagate_to_access_path receiver_ap other_actuals astate_acc
| _ ->
astate_acc in
let propagations =
TaintSpecification.handle_unknown_call callee_pname (Option.map snd ret) in
IList.fold_left handle_unknown_call_ astate propagations in
let analyze_call astate_acc callee_pname =
let call_site = CallSite.make callee_pname callee_loc in
@ -391,11 +434,11 @@ module Make (TaintSpec : TaintSpec.S) = struct
(* don't use a summary for a procedure that is a direct source or sink *)
astate_with_source
else
let summary =
match Summary.read_summary proc_data.tenv proc_data.pdesc callee_pname with
| Some summary -> summary
| None -> TaintSpec.handle_unknown_call call_site (Option.map snd ret) actuals in
apply_summary ret actuals summary astate_with_source proc_data call_site in
| Some summary ->
apply_summary ret actuals summary astate_with_source proc_data call_site
| None ->
handle_unknown_call callee_pname astate_with_source in
Domain.join astate_acc astate_with_summary in
@ -443,7 +486,7 @@ module Make (TaintSpec : TaintSpec.S) = struct
| Var.ProgramVar pvar -> Pvar.is_return pvar
| Var.LogicalVar _ -> false in
let add_summaries_for_trace summary_acc access_path trace =
let summary_trace = TaintSpec.to_summary_trace trace in
let summary_trace = TaintSpecification.to_summary_trace trace in
let output_opt =
let base, accesses = AccessPath.extract access_path in
match AccessPath.BaseMap.find base formal_map with

@ -10,12 +10,16 @@
(** combination of a trace with functions for handling unknown code and converting to and from
summaries *)
type handle_unknown =
| Propagate_to_return
| Propagate_to_receiver
module type S = sig
module Trace : Trace.S
(** return a summary for handling an unknown call at the given site with the given return type
and actuals *)
val handle_unknown_call : CallSite.t -> Typ.t option -> (Exp.t * Typ.t) list -> QuandarySummary.t
val handle_unknown_call : Procname.t -> Typ.t option -> handle_unknown list
(** convert a trace type into a summary trace. can be killed if we functorize specs.ml *)
val to_summary_trace : Trace.t -> QuandarySummary.summary_trace

@ -67,7 +67,7 @@ module MockTaintAnalysis = TaintAnalysis.Make(struct
let of_summary_trace _ = assert false
let to_summary_trace _ = assert false
let handle_unknown_call _ _ _ = []
let handle_unknown_call _ _ = []
end)
module TestInterpreter = AnalyzerTester.Make

@ -105,54 +105,54 @@ codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSou
codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaParameter2Bad(Interprocedural$Obj,Interprocedural$Obj), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through void Interprocedural.returnSourceViaParameter2(Interprocedural$Obj,Interprocedural$Obj),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.setGlobalThenCallSinkBad(), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through void Interprocedural.setGlobal(Object),call to void Interprocedural.callSinkOnGlobal(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.singlePassthroughBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.id(Object),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),call to int Log.e(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),call to int Log.println(int,String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),call to int Log.w(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),call to int Log.wtf(String,String)]
codetoanalyze/java/quandary/Recursion.java, void Recursion.callSinkThenDivergeBad(), 1, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Recursion.callSinkThenDiverge(Object),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Recursion.java, void Recursion.recursionBad(int,Object), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Recursion.recursionBad(int,Object),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Recursion.java, void Recursion.safeRecursionCallSinkBad(), 1, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Recursion.safeRecursionCallSink(int,Object),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Formatter Formatter.format(String,java.lang.Object[]),flow through String Formatter.toString(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Formatter Formatter.format(String,java.lang.Object[]),flow through String Formatter.toString(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuffer StringBuffer.append(Object),flow through StringBuffer StringBuffer.append(String),flow through String StringBuffer.toString(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuffer StringBuffer.append(Object),flow through String StringBuffer.toString(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuilder StringBuilder.append(Object),flow through StringBuilder StringBuilder.append(String),flow through String StringBuilder.toString(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderIgnoreReturnBad(), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuilder StringBuilder.append(Object),flow through String StringBuilder.toString(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderSugarBad(), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuilder StringBuilder.append(Object),flow through StringBuilder StringBuilder.append(String),flow through String StringBuilder.toString(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through String.<init>(String),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderIgnoreReturnBad(), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderSugarBad(), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]

Loading…
Cancel
Save