[quandary] add Intent's passed to onActivityResult/onNewIntent as sources

Reviewed By: mburman Differential Revision: D4399245 fbshipit-source-id: f196e4c
8 years ago · ee2d0c9226
parent b6fbb133de
commit ee2d0c9226
3 changed files with 34 additions and 3 deletions
--- a/infer/src/quandary/JavaTrace.ml
+++ b/infer/src/quandary/JavaTrace.ml
@ -57,7 +57,7 @@ module SourceKind = struct
    | pname when BuiltinDecl.is_declared pname -> None
    | pname -> failwithf "Non-Java procname %a in Java analysis@." Procname.pp pname

-  let get_tainted_formals pdesc _ =
+  let get_tainted_formals pdesc tenv =
    let make_untainted (name, typ) =
      name, typ, None in
    let taint_formals_with_types type_strs kind formals =
@ -79,8 +79,22 @@ module SourceKind = struct
          match Procname.java_get_class_name java_pname, Procname.java_get_method java_pname with
          | "codetoanalyze.java.quandary.TaintedFormals", "taintedContextBad" ->
              taint_formals_with_types ["java.lang.Integer"; "java.lang.String"] Other formals
-          | _ ->
-              Source.all_formals_untainted pdesc
+          | class_name, method_name ->
+              let taint_matching_supertype typename _ =
+                match Typename.name typename, method_name with
+                | "android.app.Activity", ("onActivityResult" | "onNewIntent") ->
+                    Some (taint_formals_with_types ["android.content.Intent"] Intent formals)
+                | _ ->
+                    None in
+              begin
+                match
+                  PatternMatch.supertype_find_map_opt
+                    tenv
+                    taint_matching_supertype
+                    (Typename.Java.from_string class_name) with
+                | Some tainted_formals -> tainted_formals
+                | None -> Source.all_formals_untainted pdesc
+              end
        end
    | procname ->
        failwithf
--- a/infer/tests/codetoanalyze/java/quandary/Intents.java
+++ b/infer/tests/codetoanalyze/java/quandary/Intents.java
@ -30,6 +30,21 @@ class IntentSubclass extends Intent {
 abstract class ContextSubclass extends Context {
 }

+class MyActivity extends Activity {
+
+  @Override
+  // intent is modeled as tainted
+  public void onActivityResult(int requestCode, int resultCode, Intent intent) {
+    startService(intent);
+  }
+
+  @Override
+  // intent is modeled as tainted
+  public void onNewIntent(Intent intent) {
+    startService(intent);
+  }
+}
+
 public class Intents {

  private native int rand();
--- a/infer/tests/codetoanalyze/java/quandary/issues.exp
+++ b/infer/tests/codetoanalyze/java/quandary/issues.exp
@ -88,6 +88,8 @@ codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Int
 codetoanalyze/java/quandary/Intents.java, void Intents.callAllIntentSinksBad(Intent), 22, QUANDARY_TAINT_ERROR, [return from String Intent.getStringExtra(String),call to Intent Intent.setTypeAndNormalize(String)]
 codetoanalyze/java/quandary/Intents.java, void Intents.reuseIntentBad(Activity), 1, QUANDARY_TAINT_ERROR, [return from Intent Activity.getIntent(),call to void Activity.startActivity(Intent)]
 codetoanalyze/java/quandary/Intents.java, void Intents.subclassCallBad(IntentSubclass,ContextSubclass), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to Intent Intent.setAction(String)]
+codetoanalyze/java/quandary/Intents.java, void MyActivity.onActivityResult(int,int,Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyActivity.onActivityResult(int,int,Intent),call to ComponentName ContextWrapper.startService(Intent)]
+codetoanalyze/java/quandary/Intents.java, void MyActivity.onNewIntent(Intent), 1, QUANDARY_TAINT_ERROR, [return from void MyActivity.onNewIntent(Intent),call to ComponentName ContextWrapper.startService(Intent)]
 codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsIntraprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSinkInterprocedural(Object), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]
 codetoanalyze/java/quandary/Interprocedural.java, Object Interprocedural.irrelevantPassthroughsSourceAndSinkInterprocedural(Object), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.relevantPassthrough(Object),return from Object Interprocedural.returnSourceIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to Object Interprocedural.callSinkIrrelevantPassthrough(Object),flow through Object Interprocedural.relevantPassthrough(Object),call to void InferTaint.inferSensitiveSink(Object)]