hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-28 12:53:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5505 from joefarebrother/android-sql-convert

Browse Source 
Java: Convert Android SQL-related flow steps to CSV format
This commit is contained in:
Anders Schack-Mulligen
2021-07-14 13:56:55 +02:00
committed by GitHub
parent 0b21caa9ae 4d459f24d9
commit 3c4cd15738
2 changed files with 69 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
View File

@@ -110,72 +110,51 @@ private class SQLiteSinkCsv extends SinkModelCsv {
}
}
private class QueryBuilderBuildMethod extends TaintPreservingCallable {
int argument;
QueryBuilderBuildMethod() {
this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
(
// buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
// buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
// buildUnionQuery(String[] subQueries, String sortOrder, String limit)
this.hasName(["buildQuery", "buildUnionQuery"]) and
argument = [-1 .. getNumberOfParameters()]
or
// buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
// buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
this.hasName("buildUnionSubQuery") and
argument = [-1 .. getNumberOfParameters()] and
argument != 3
or
// static buildQueryString(boolean distinct, String tables, String[] columns, String where, String groupBy, String having, String orderBy, String limit)
hasName("buildQueryString") and
argument = [1 .. getNumberOfParameters()]
)
}
override predicate returnsTaintFrom(int arg) { argument = arg }
}
private class QueryBuilderAppendMethod extends TaintPreservingCallable {
QueryBuilderAppendMethod() {
this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
// setProjectionMap(Map<String, String> columnMap)
// setTables(String inTables)
// appendWhere(CharSequence inWhere)
// appendWhereStandalone(CharSequence inWhere)
// static appendColumns(StringBuilder s, String[] columns)
this.hasName([
"setProjectionMap", "setTables", "appendWhere", "appendWhereStandalone", "appendColumns"
])
}
override predicate transfersTaint(int src, int sink) {
if hasName("appendColumns") then (src = 1 and sink = 0) else (src = 0 and sink = -1)
private class SqlFlowStep extends SummaryModelCsv {
override predicate row(string row) {
row =
[
//"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
// buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
// buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
// buildUnionQuery(String[] subQueries, String sortOrder, String limit)
"android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String,String,String,String);;Argument[-1];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String,String,String,String);;ArrayElement of Argument[0];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String,String,String,String);;Argument[1..5];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;Argument[-1];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;ArrayElement of Argument[0];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;Argument[1];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;Argument[3..6];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionQuery;(String[],String,String);;Argument[-1];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionQuery;(String[],String,String);;ArrayElement of Argument[0];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionQuery;(String[],String,String);;Argument[1..2];ReturnValue;taint",
// buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
// buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String[],String,String);;Argument[-1..0];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String[],String,String);;ArrayElement of Argument[1];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String[],String,String);;Element of Argument[2];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String[],String,String);;Argument[4..5];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String[],String,String);;Argument[7..8];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String,String);;Argument[-1..0];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String,String);;ArrayElement of Argument[1];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String,String);;Element of Argument[2];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set,int,String,String,String,String);;Argument[4..7];ReturnValue;taint",
// static buildQueryString(boolean distinct, String tables, String[] columns, String where, String groupBy, String having, String orderBy, String limit)
"android.database.sqlite;SQLiteQueryBuilder;true;buildQueryString;(boolean,String,String[],String,String,String,String,String);;Argument[1];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildQueryString;(boolean,String,String[],String,String,String,String,String);;ArrayElement of Argument[2];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;buildQueryString;(boolean,String,String[],String,String,String,String,String);;Argument[3..7];ReturnValue;taint",
"android.database.sqlite;SQLiteQueryBuilder;true;setProjectionMap;(Map);;MapKey of Argument[0];Argument[-1];taint",
"android.database.sqlite;SQLiteQueryBuilder;true;setProjectionMap;(Map);;MapValue of Argument[0];Argument[-1];taint",
"android.database.sqlite;SQLiteQueryBuilder;true;setTables;(String);;Argument[0];Argument[-1];taint",
"android.database.sqlite;SQLiteQueryBuilder;true;appendWhere;(CharSequence);;Argument[0];Argument[-1];taint",
"android.database.sqlite;SQLiteQueryBuilder;true;appendWhereStandalone;(CharSequence);;Argument[0];Argument[-1];taint",
"android.database.sqlite;SQLiteQueryBuilder;true;appendColumns;(StringBuilder,String[]);;ArrayElement of Argument[1];Argument[0];taint",
"android.database;DatabaseUtils;false;appendSelectionArgs;(String[],String[]);;ArrayElement of Argument[0..1];ArrayElement of ReturnValue;taint",
"android.database;DatabaseUtils;false;concatenateWhere;(String,String);;Argument[0..1];ReturnValue;taint",
"android.content;ContentProvider;true;query;(Uri,String[],String,String[],String);;Argument[0];ReturnValue;taint",
"android.content;ContentProvider;true;query;(Uri,String[],String,String[],String,CancellationSignal);;Argument[0];ReturnValue;taint",
"android.content;ContentResolver;true;query;(Uri,String[],String,String[],String);;Argument[0];ReturnValue;taint",
"android.content;ContentResolver;true;query;(Uri,String[],String,String[],String,CancellationSignal);;Argument[0];ReturnValue;taint"
]
}
}
private class UnsafeAppendUtilMethod extends TaintPreservingCallable {
UnsafeAppendUtilMethod() {
this.getDeclaringType() instanceof TypeDatabaseUtils and
// String[] appendSelectionArgs(String[] originalValues, String[] newValues)
// String concatenateWhere(String a, String b)
this.hasName(["appendSelectionArgs", "concatenateWhere"])
}
override predicate returnsTaintFrom(int arg) { arg = [0 .. getNumberOfParameters()] }
}
private class TaintPreservingQueryMethod extends TaintPreservingCallable {
TaintPreservingQueryMethod() {
(
this.getDeclaringType() instanceof AndroidContentProvider or
this.getDeclaringType() instanceof AndroidContentResolver
) and
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
this.hasName("query")
}
override predicate returnsTaintFrom(int arg) { arg = 0 }
}