Merge pull request #6923 from atorralba/atorralba/android-fragment-injection

Java: CWE-470 - Queries to detect Fragment Injection in Android applications
2026-05-02 20:25:13 +02:00 · 2022-01-17 14:02:15 +01:00
parent 3c837c322b 7beab7cb59
commit 227929508f
35 changed files with 4537 additions and 663 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/android/Fragment.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/android/Fragment.qll
@@ -0,0 +1,16 @@
+/** Provides classes and predicates to track Android fragments. */
+
+import java
+
+/** The class `android.app.Fragment` */
+class Fragment extends Class {
+  Fragment() { this.hasQualifiedName("android.app", "Fragment") }
+}
+
+/** The method `instantiate` of the class `android.app.Fragment`. */
+class FragmentInstantiateMethod extends Method {
+  FragmentInstantiateMethod() {
+    this.getDeclaringType() instanceof Fragment and
+    this.hasName("instantiate")
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
@@ -0,0 +1,83 @@
+/** Provides classes and predicates to reason about Android Fragment injection vulnerabilities. */
+
+import java
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.frameworks.android.Android
+private import semmle.code.java.frameworks.android.Fragment
+private import semmle.code.java.Reflection
+
+/** The method `isValidFragment` of the class `android.preference.PreferenceActivity`. */
+class IsValidFragmentMethod extends Method {
+  IsValidFragmentMethod() {
+    this.getDeclaringType()
+        .getASupertype*()
+        .hasQualifiedName("android.preference", "PreferenceActivity") and
+    this.hasName("isValidFragment")
+  }
+
+  /**
+   * Holds if this method makes the Activity it is declared in vulnerable to Fragment injection,
+   * that is, all code paths in this method return `true` and the Activity is exported.
+   */
+  predicate isUnsafe() {
+    this.getDeclaringType().(AndroidActivity).isExported() and
+    forex(ReturnStmt retStmt | retStmt.getEnclosingCallable() = this |
+      retStmt.getResult().(BooleanLiteral).getBooleanValue() = true
+    )
+  }
+}
+
+/**
+ * A sink for Fragment injection vulnerabilities,
+ * that is, method calls that dynamically add fragments to activities.
+ */
+abstract class FragmentInjectionSink extends DataFlow::Node { }
+
+/** An additional taint step for flows related to Fragment injection vulnerabilites. */
+class FragmentInjectionAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` should be considered a taint
+   * step in flows related to Fragment injection vulnerabilites.
+   */
+  abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
+}
+
+private class FragmentInjectionSinkModels extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      ["android.app", "android.support.v4.app", "androidx.fragment.app"] +
+        ";FragmentTransaction;true;" +
+        [
+          "add;(Class,Bundle,String);;Argument[0]", "add;(Fragment,String);;Argument[0]",
+          "add;(int,Class,Bundle);;Argument[1]", "add;(int,Fragment);;Argument[1]",
+          "add;(int,Class,Bundle,String);;Argument[1]", "add;(int,Fragment,String);;Argument[1]",
+          "attach;(Fragment);;Argument[0]", "replace;(int,Class,Bundle);;Argument[1]",
+          "replace;(int,Fragment);;Argument[1]", "replace;(int,Class,Bundle,String);;Argument[1]",
+          "replace;(int,Fragment,String);;Argument[1]",
+        ] + ";fragment-injection"
+  }
+}
+
+private class DefaultFragmentInjectionSink extends FragmentInjectionSink {
+  DefaultFragmentInjectionSink() { sinkNode(this, "fragment-injection") }
+}
+
+private class DefaultFragmentInjectionAdditionalTaintStep extends FragmentInjectionAdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(ReflectiveClassIdentifierMethodAccess ma |
+      ma.getArgument(0) = n1.asExpr() and ma = n2.asExpr()
+    )
+    or
+    exists(NewInstance ni |
+      ni.getQualifier() = n1.asExpr() and
+      ni = n2.asExpr()
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof FragmentInstantiateMethod and
+      ma.getArgument(1) = n1.asExpr() and
+      ma = n2.asExpr()
+    )
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
@@ -0,0 +1,22 @@
+/** Provides classes and predicates to be used in queries related to Android Fragment injection. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.FragmentInjection
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to create Android fragments dynamically.
+ */
+class FragmentInjectionTaintConf extends TaintTracking::Configuration {
+  FragmentInjectionTaintConf() { this = "FragmentInjectionTaintConf" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
+  }
+}