From c19bee7772349c8dfd1690f74621aafd752a5e61 Mon Sep 17 00:00:00 2001 From: Sam Blackshear Date: Fri, 20 Jan 2017 08:32:25 -0800 Subject: [PATCH] [quandary] for instance methods with no return value, propagate the taint to the receiver Summary: If we have code like ``` o.setF(source()) sink(o) ``` and `setF` is an unknown method, we probably want to report. Reviewed By: jeremydubreil, mburman Differential Revision: D4438896 fbshipit-source-id: 5edd204 --- infer/src/quandary/JavaTaintAnalysis.ml | 5 ++++- .../tests/codetoanalyze/java/quandary/UnknownCode.java | 10 ++++++++++ infer/tests/codetoanalyze/java/quandary/issues.exp | 1 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/infer/src/quandary/JavaTaintAnalysis.ml b/infer/src/quandary/JavaTaintAnalysis.ml index f8171b61e..c794a7629 100644 --- a/infer/src/quandary/JavaTaintAnalysis.ml +++ b/infer/src/quandary/JavaTaintAnalysis.ml @@ -36,9 +36,12 @@ include Some _ when not (Procname.java_is_static pname) -> [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return] + | _, _, (Some Typ.Tvoid | None) when not (Procname.java_is_static pname) -> + (* for instance methods with no return value, propagate the taint to the receiver *) + [TaintSpec.Propagate_to_receiver] | _, _, Some _ -> [TaintSpec.Propagate_to_return] - | _ -> + | _, _, None -> [] end | pname when BuiltinDecl.is_declared pname -> diff --git a/infer/tests/codetoanalyze/java/quandary/UnknownCode.java b/infer/tests/codetoanalyze/java/quandary/UnknownCode.java index 80de59d4a..6e8ac0695 100644 --- a/infer/tests/codetoanalyze/java/quandary/UnknownCode.java +++ b/infer/tests/codetoanalyze/java/quandary/UnknownCode.java @@ -11,6 +11,9 @@ package codetoanalyze.java.quandary; import com.facebook.infer.builtins.InferTaint; +import android.content.Intent; +import android.os.Parcel; + /** testing how the analysis handles missing/unknown code */ public abstract class UnknownCode { @@ -43,6 +46,13 @@ public abstract class UnknownCode { InferTaint.inferSensitiveSink(launderedSource3); } + void callUnknownSetterBad(Intent i) { + Object source = InferTaint.inferSecretSource(); + // we don't analyze the source code for Android, so this will be unknown + i.writeToParcel((Parcel) source, 0); + InferTaint.inferSensitiveSink(i); + } + static void FN_propagateViaInterfaceCodeBad(Interface i) { Object source = InferTaint.inferSecretSource(); Object launderedSource = i.interfaceMethod(source); diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 0a80e9c4e..f6138a0c1 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -175,6 +175,7 @@ codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedCont codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 2, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 3, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void TaintedFormals.callSink(Object),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/TaintedFormals.java, void TaintedFormals.taintedContextBad(String,Boolean,Integer), 4, QUANDARY_TAINT_ERROR, [return from void TaintedFormals.taintedContextBad(String,Boolean,Integer),call to void TaintedFormals.callSink(Object),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.callUnknownSetterBad(Intent), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/WebViews.java, void WebViews.callWebviewChromeClientSinks(WebView,WebChromeClient), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean WebChromeClient.onJsAlert(WebView,String,String,JsResult)] codetoanalyze/java/quandary/WebViews.java, void WebViews.callWebviewChromeClientSinks(WebView,WebChromeClient), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to boolean WebChromeClient.onJsBeforeUnload(WebView,String,String,JsResult)]