diff --git a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll index 4daba80ee79..125cf23cf49 100644 --- a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll +++ b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll @@ -40,17 +40,27 @@ private class SQLiteSinkCsv extends SinkModelCsv { // queryWithFactory(SQLiteDatabase.CursorFactory cursorFactory, boolean distinct, String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit, CancellationSignal cancellationSignal) // queryWithFactory(SQLiteDatabase.CursorFactory cursorFactory, boolean distinct, String table, String[] columns, String selection, String[] selectionArgs, String groupBy, String having, String orderBy, String limit) // Each String / String[] arg except for selectionArgs is a sink - "android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;Argument[0..2];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;Argument[0];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;ArrayElement of Argument[1];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;Argument[2];sql", "android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String,String);;Argument[4..7];sql", "android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String);;Argument[0..2];sql", "android.database.sqlite;SQLiteDatabase;false;query;(String,String[],String,String[],String,String,String);;Argument[4..6];sql", - "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;Argument[1..3];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;Argument[1];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;ArrayElement of Argument[2];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;Argument[3];sql", "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String);;Argument[5..8];sql", - "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[1..3];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[1];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;ArrayElement of Argument[2];sql", + "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[3];sql", "android.database.sqlite;SQLiteDatabase;false;query;(boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[5..8];sql", - "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;Argument[2..4];sql", + "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;Argument[2];sql", + "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;ArrayElement of Argument[3];sql", + "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;Argument[4];sql", "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String);;Argument[6..9];sql", - "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[2..4];sql", + "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[2];sql", + "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;ArrayElement of Argument[3];sql", + "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[4];sql", "android.database.sqlite;SQLiteDatabase;false;queryWithFactory;(CursorFactory,boolean,String,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[6..9];sql", "android.database.sqlite;SQLiteDatabase;false;rawQuery;(String,String[]);;Argument[0];sql", "android.database.sqlite;SQLiteDatabase;false;rawQuery;(String,String[],CancellationSignal);;Argument[0];sql", @@ -77,13 +87,16 @@ private class SQLiteSinkCsv extends SinkModelCsv { // query(SQLiteDatabase db, String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit) // query(SQLiteDatabase db, String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit, CancellationSignal cancellationSignal) "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;Argument[-1];sql", - "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;Argument[1..2];sql", + "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;ArrayElement of Argument[1];sql", + "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;Argument[2];sql", "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String);;Argument[4..6];sql", "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;Argument[-1];sql", - "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;Argument[1..2];sql", + "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;ArrayElement of Argument[1];sql", + "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;Argument[2];sql", "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String);;Argument[4..7];sql", "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[-1];sql", - "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[1..2];sql", + "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;ArrayElement of Argument[1];sql", + "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[2];sql", "android.database.sqlite;SQLiteQueryBuilder;true;query;(SQLiteDatabase,String[],String,String[],String,String,String,String,CancellationSignal);;Argument[4..7];sql", "android.content;ContentProvider;true;delete;(Uri,String,String[]);;Argument[1];sql", "android.content;ContentProvider;true;update;(Uri,ContentValues,String,String[]);;Argument[2];sql", diff --git a/java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java b/java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java index b4501377cb2..3dcdd8e5106 100644 --- a/java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java +++ b/java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java @@ -85,7 +85,7 @@ public class Sinks { public static void query(SQLiteDatabase target) { boolean distinct = taint(); String table = taint(); // $hasTaintFlowSink - String[] columns = {taint()}; // $hasTaintFlowSink + String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink String selection = taint(); // $hasTaintFlowSink String[] selectionArgs = {taint()}; String groupBy = taint(); // $hasTaintFlowSink @@ -98,7 +98,7 @@ public class Sinks { public static void query2(SQLiteDatabase target) { boolean distinct = taint(); String table = taint(); // $hasTaintFlowSink - String[] columns = {taint()}; // $hasTaintFlowSink + String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink String selection = taint(); // $hasTaintFlowSink String[] selectionArgs = {taint()}; String groupBy = taint(); // $hasTaintFlowSink @@ -123,7 +123,7 @@ public class Sinks { public static void query4(SQLiteDatabase target) { String table = taint(); // $hasTaintFlowSink - String[] columns = {taint()}; // $hasTaintFlowSink + String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink String selection = taint(); // $hasTaintFlowSink String[] selectionArgs = {taint()}; String groupBy = taint(); // $hasTaintFlowSink @@ -136,7 +136,7 @@ public class Sinks { public static void query(MySQLiteQueryBuilder target) { target = taint(); // $hasTaintFlowSink SQLiteDatabase db = taint(); - String[] projectionIn = {taint()}; // $hasTaintFlowSink + String[] projectionIn = {taint()}; // $ MISSING: hasTaintFlowSink String selection = taint(); // $hasTaintFlowSink String[] selectionArgs = {taint()}; String groupBy = taint(); // $hasTaintFlowSink @@ -148,7 +148,7 @@ public class Sinks { public static void query2(MySQLiteQueryBuilder target) { target = taint(); // $hasTaintFlowSink SQLiteDatabase db = taint(); - String[] projectionIn = {taint()}; // $hasTaintFlowSink + String[] projectionIn = {taint()}; // $ MISSING: hasTaintFlowSink String selection = taint(); // $hasTaintFlowSink String[] selectionArgs = {taint()}; String groupBy = taint(); // $hasTaintFlowSink @@ -161,7 +161,7 @@ public class Sinks { public static void query3(MySQLiteQueryBuilder target) { target = taint(); // $hasTaintFlowSink SQLiteDatabase db = taint(); - String[] projectionIn = {taint()}; // $hasTaintFlowSink + String[] projectionIn = {taint()}; // $ MISSING: hasTaintFlowSink String selection = taint(); // $hasTaintFlowSink String[] selectionArgs = {taint()}; String groupBy = taint(); // $hasTaintFlowSink @@ -214,7 +214,7 @@ public class Sinks { SQLiteDatabase.CursorFactory cursorFactory = taint(); boolean distinct = taint(); String table = taint(); // $hasTaintFlowSink - String[] columns = {taint()}; // $hasTaintFlowSink + String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink String selection = taint(); // $hasTaintFlowSink String[] selectionArgs = {taint()}; String groupBy = taint(); // $hasTaintFlowSink @@ -229,7 +229,7 @@ public class Sinks { SQLiteDatabase.CursorFactory cursorFactory = taint(); boolean distinct = taint(); String table = taint(); // $hasTaintFlowSink - String[] columns = {taint()}; // $hasTaintFlowSink + String[] columns = {taint()}; // $ MISSING: hasTaintFlowSink String selection = taint(); // $hasTaintFlowSink String[] selectionArgs = {taint()}; String groupBy = taint(); // $hasTaintFlowSink