From b61a68e859d49bf70748c7665c35f85705759938 Mon Sep 17 00:00:00 2001
From: Sam Blackshear <shb@fb.com>
Date: Wed, 2 Aug 2017 16:10:44 -0700
Subject: [PATCH] [quandary] HTML creation as a sink

Reviewed By: mbouaziz

Differential Revision: D5503830

fbshipit-source-id: 95ffce6
---
 infer/src/quandary/JavaTrace.ml                        | 9 ++++++++-
 infer/tests/codetoanalyze/java/quandary/Clipboard.java | 6 ++++++
 infer/tests/codetoanalyze/java/quandary/issues.exp     | 1 +
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/infer/src/quandary/JavaTrace.ml b/infer/src/quandary/JavaTrace.ml
index 18cbf03be..91df8b7c8 100644
--- a/infer/src/quandary/JavaTrace.ml
+++ b/infer/src/quandary/JavaTrace.ml
@@ -177,6 +177,7 @@ module SinkKind = struct
   type t =
     | CreateFile  (** sink that creates a file *)
     | CreateIntent  (** sink that creates an Intent *)
+    | HTML  (** sink that creates HTML *)
     | JavaScript  (** sink that passes its arguments to untrusted JS code *)
     | Logging  (** sink that logs one or more of its arguments *)
     | StartComponent  (** sink that launches an Activity, Service, etc. *)
@@ -188,6 +189,8 @@ module SinkKind = struct
      -> CreateFile
     | "CreateIntent"
      -> CreateIntent
+    | "HTML"
+     -> HTML
     | "JavaScript"
      -> JavaScript
     | "Logging"
@@ -225,6 +228,8 @@ module SinkKind = struct
       match
         (Typ.Procname.java_get_class_name java_pname, Typ.Procname.java_get_method java_pname)
       with
+      | "android.text.Html", "fromHtml"
+       -> taint_nth 0 HTML
       | "android.util.Log", ("e" | "println" | "w" | "wtf")
        -> taint_all Logging
       | "java.io.File", "<init>"
@@ -293,6 +298,8 @@ module SinkKind = struct
        -> "CreateFile"
       | CreateIntent
        -> "CreateIntent"
+      | HTML
+       -> "HTML"
       | JavaScript
        -> "JavaScript"
       | Logging
@@ -327,7 +334,7 @@ include Trace.Make (struct
       (* create intent/launch component from user-controlled URI *)
       | UserControlledURI, CreateFile
       (* create file from user-controller URI; potential path-traversal vulnerability *)
-      | Clipboard, (StartComponent | CreateIntent | JavaScript | CreateFile)
+      | Clipboard, (StartComponent | CreateIntent | JavaScript | CreateFile | HTML)
        -> (* do something sensitive with user-controlled data from the clipboard *)
           true
       | Other, _ | _, Other
diff --git a/infer/tests/codetoanalyze/java/quandary/Clipboard.java b/infer/tests/codetoanalyze/java/quandary/Clipboard.java
index fd1641800..accfb6a1c 100644
--- a/infer/tests/codetoanalyze/java/quandary/Clipboard.java
+++ b/infer/tests/codetoanalyze/java/quandary/Clipboard.java
@@ -11,6 +11,8 @@ package codetoanalyze.java.quandary;
 
 import android.app.Activity;
 import android.content.ClipboardManager;
+import android.text.Html;
+import android.text.Spanned;
 
 import com.facebook.infer.builtins.InferTaint;
 
@@ -26,4 +28,8 @@ public class Clipboard {
     // 5 reports
   }
 
+  Spanned clipboardToHtmlBad() {
+    return Html.fromHtml(clipboard.getText().toString());
+  }
+
 }
diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp
index 6be6a0e3a..84c4cd452 100644
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@@ -25,6 +25,7 @@ codetoanalyze/java/quandary/Basics.java, void Basics.viaVarBad2(), 3, QUANDARY_T
 codetoanalyze/java/quandary/Basics.java, void Basics.viaVarBad3(), 4, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Basics.java, void Basics.whileBad1(int), 3, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Basics.java, void Basics.whileBad2(int), 6, QUANDARY_TAINT_ERROR, [Return from Object InferTaint.inferSecretSource(),Call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Clipboard.java, Spanned Clipboard.clipboardToHtmlBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to Spanned Html.fromHtml(String)]
 codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 1, QUANDARY_TAINT_ERROR, [Return from CharSequence ClipboardManager.getText(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 2, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, [Return from ClipData ClipboardManager.getPrimaryClip(),Call to void InferTaint.inferSensitiveSink(Object)]