hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Editable.toString flow step

Browse Source
This commit is contained in:
Tony Torralba
2022-04-26 11:00:41 +02:00
parent 6738270b65
commit 2ee83e2ba2
35 changed files with 905 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/change-notes/2022-04-26-android-editable-tostring-flow-step.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
Added a flow step for `toString` calls on tainted `android.text.Editable` objects.

12
java/ql/lib/semmle/code/java/frameworks/android/Widget.qll
View File

@@ -16,6 +16,18 @@ private class DefaultAndroidWidgetSources extends RemoteFlowSource {
override string getSourceType() { result = "Android widget source" }
}
private class EditableToStringStep extends AdditionalTaintStep {
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
exists(MethodAccess toString |
toString.getMethod().hasName("toString") and
toString.getReceiverType().hasQualifiedName("android.text", "Editable")
|
n1.asExpr() = toString.getQualifier() and
n2.asExpr() = toString
)
}
}
private class AndroidWidgetSummaryModels extends SummaryModelCsv {
override predicate row(string row) {
row = "android.widget;EditText;true;getText;;;Argument[-1];ReturnValue;taint"

14
java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll
View File

@@ -11,20 +11,6 @@ private class LocalDatabaseCleartextStorageSink extends CleartextStorageSink {
LocalDatabaseCleartextStorageSink() { localDatabaseInput(_, this.asExpr()) }
}
private class LocalDatabaseCleartextStorageStep extends CleartextStorageAdditionalTaintStep {
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
// EditText.getText() return type is parsed as `Object`, so we need to
// add a taint step for `Object.toString` to model `editText.getText().toString()`
exists(MethodAccess ma, Method m |
ma.getMethod() = m and
m.getDeclaringType() instanceof TypeObject and
m.hasName("toString")
|
n1.asExpr() = ma.getQualifier() and n2.asExpr() = ma
)
}
}
/** The creation of an object that can be used to store data in a local database. */
class LocalDatabaseOpenMethodAccess extends Storable, Call {
LocalDatabaseOpenMethodAccess() {

15
java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll
View File

@@ -85,18 +85,3 @@ private class EncryptedValueFlowConfig extends DataFlow4::Configuration {
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveExpr }
}
/** A taint step for `EditText.toString` in Android. */
private class AndroidEditTextCleartextStorageStep extends CleartextStorageAdditionalTaintStep {
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
// EditText.getText() return type is parsed as `Object`, so we need to
// add a taint step for `Object.toString` to model `editText.getText().toString()`
exists(MethodAccess ma, Method m |
ma.getMethod() = m and
m.getDeclaringType() instanceof TypeObject and
m.hasName("toString")
|
n1.asExpr() = ma.getQualifier() and n2.asExpr() = ma
)
}
}