[quandary] clipboard as a source

Reviewed By: mburman

Differential Revision: D5046627

fbshipit-source-id: f5f4c4d

infer/src/quandary/JavaTrace.ml

@@ -14,6 +14,7 @@ module L = Logging
 
 module SourceKind = struct
   type t =
+    | Clipboard (** data read from the clipboard service *)
     | Intent (** external Intent or a value read from one *)
     | Other (** for testing or uncategorized sources *)
     | PrivateData (** private user or device-specific data *)
@@ -24,6 +25,7 @@ module SourceKind = struct
   let unknown = Unknown
 
   let of_string = function
+    | "Clipboard" -> Clipboard
     | "Intent" -> Intent
     | "PrivateData" -> PrivateData
     | "UserControlledURI" -> UserControlledURI
@@ -61,6 +63,9 @@ module SourceKind = struct
                     Some (Intent, return)
                 | "android.content.SharedPreferences", "getString" ->
                     Some (PrivateData, return)
+                | ("android.content.ClipboardManager" | "android.text.ClipboardManager"),
+                  ("getPrimaryClip" | "getText") ->
+                    Some (Clipboard, return)
                 | _ ->
                     None in
               let kind_opt =
@@ -171,6 +176,7 @@ module SourceKind = struct
   let pp fmt kind =
     F.fprintf fmt
       (match kind with
+       | Clipboard -> "Clipboard"
        | Intent -> "Intent"
        | UserControlledURI -> "UserControlledURI"
        | PrivateData -> "PrivateData"
@@ -341,8 +347,10 @@ include
       | PrivateData, JavaScript (* leaking private data into JS *)
       | UserControlledURI, (CreateIntent | StartComponent)
       (* create intent/launch component from user-controlled URI *)
-      | UserControlledURI, CreateFile ->
-          (* create file from user-controller URI; potential path-traversal vulnerability *)
+      | UserControlledURI, CreateFile
+      (* create file from user-controller URI; potential path-traversal vulnerability *)
+      | Clipboard, (StartComponent | CreateIntent | JavaScript | CreateFile) ->
+          (* do something sensitive with user-controlled data from the clipboard *)
           true
       | Other, _ | _, Other -> (* for testing purposes, Other matches everything *)
           true

infer/tests/codetoanalyze/java/quandary/Clipboard.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2017 - present Facebook, Inc.
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD style license found in the
+ * LICENSE file in the root directory of this source tree. An additional grant
+ * of patent rights can be found in the PATENTS file in the same directory.
+ */
+
+package codetoanalyze.java.quandary;
+
+import android.app.Activity;
+import android.content.ClipboardManager;
+
+import com.facebook.infer.builtins.InferTaint;
+
+public class Clipboard {
+  ClipboardManager clipboard;
+
+  void readClipboardSourcesBad() {
+    InferTaint.inferSensitiveSink(clipboard.getText());
+    InferTaint.inferSensitiveSink(clipboard.getPrimaryClip());
+    InferTaint.inferSensitiveSink(clipboard.getPrimaryClip().getItemAt(5));
+    InferTaint.inferSensitiveSink(clipboard.getPrimaryClip().getItemAt(5).getText());
+    InferTaint.inferSensitiveSink(clipboard.getPrimaryClip().toString());
+    // 5 reports
+  }
+
+}

infer/tests/codetoanalyze/java/quandary/issues.exp

@@ -25,6 +25,11 @@ codetoanalyze/java/quandary/Basics.java, void Basics.viaVarBad2(), 3, QUANDARY_T
 codetoanalyze/java/quandary/Basics.java, void Basics.viaVarBad3(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Basics.java, void Basics.whileBad1(int), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Basics.java, void Basics.whileBad2(int), 6, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 1, QUANDARY_TAINT_ERROR, [return from CharSequence ClipboardManager.getText(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 2, QUANDARY_TAINT_ERROR, [return from ClipData ClipboardManager.getPrimaryClip(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 3, QUANDARY_TAINT_ERROR, [return from ClipData ClipboardManager.getPrimaryClip(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 4, QUANDARY_TAINT_ERROR, [return from ClipData ClipboardManager.getPrimaryClip(),call to void InferTaint.inferSensitiveSink(Object)]
+codetoanalyze/java/quandary/Clipboard.java, void Clipboard.readClipboardSourcesBad(), 5, QUANDARY_TAINT_ERROR, [return from ClipData ClipboardManager.getPrimaryClip(),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/ContentProviders.java, AssetFileDescriptor ContentProviders.openAssetFile(Uri,String,CancellationSignal), 1, QUANDARY_TAINT_ERROR, [return from AssetFileDescriptor ContentProviders.openAssetFile(Uri,String,CancellationSignal),call to File.<init>(String)]
 codetoanalyze/java/quandary/ContentProviders.java, AssetFileDescriptor ContentProviders.openTypedAssetFile(Uri,String,Bundle,CancellationSignal), 2, QUANDARY_TAINT_ERROR, [return from AssetFileDescriptor ContentProviders.openTypedAssetFile(Uri,String,Bundle,CancellationSignal),call to File.<init>(String)]
 codetoanalyze/java/quandary/ContentProviders.java, Bundle ContentProviders.call(String,String,Bundle), 1, QUANDARY_TAINT_ERROR, [return from Bundle ContentProviders.call(String,String,Bundle),call to File.<init>(String)]