From 449fb24ef6cbae61a0e6bce36c2930691620b8b1 Mon Sep 17 00:00:00 2001
From: Arthur Baars <arthur@semmle.com>
Date: Tue, 29 Sep 2020 18:10:05 +0200
Subject: [PATCH] Java: android add taint and SQL sink for
 ContentProvider/Resolver

---
 .../java/dataflow/internal/TaintTrackingUtil.qll  |  9 +++++++++
 .../code/java/frameworks/android/Android.qll      | 10 +++++++++-
 .../code/java/frameworks/android/SQLite.qll       | 15 ++++++++++++---
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
index c31f6f3d940..2c99b08948c 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -592,6 +592,15 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
     arg = [0 .. method.getNumberOfParameters()] and
     arg != 3
   )
+  or
+  (
+    method.getDeclaringType() instanceof AndroidContentProvider or
+    method.getDeclaringType() instanceof AndroidContentResolver
+  ) and
+  // Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
+  // Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
+  method.hasName("query") and
+  arg = 0
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/frameworks/android/Android.qll b/java/ql/src/semmle/code/java/frameworks/android/Android.qll
index a16c43ddfc5..da500afbe6e 100644
--- a/java/ql/src/semmle/code/java/frameworks/android/Android.qll
+++ b/java/ql/src/semmle/code/java/frameworks/android/Android.qll
@@ -14,7 +14,8 @@ class AndroidComponent extends Class {
     this.getASupertype*().hasQualifiedName("android.app", "Activity") or
     this.getASupertype*().hasQualifiedName("android.app", "Service") or
     this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver") or
-    this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
+    this.getASupertype*().hasQualifiedName("android.content", "ContentProvider") or
+    this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
   }
 
   /** The XML element corresponding to this Android component. */
@@ -52,3 +53,10 @@ class AndroidContentProvider extends AndroidComponent {
     this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
   }
 }
+
+/** An Android content resolver. */
+class AndroidContentResolver extends AndroidComponent {
+  AndroidContentResolver() {
+    this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
index 86679b0307e..fdf7a67d1e5 100644
--- a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
+++ b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
@@ -187,7 +187,10 @@ private class QueryBuilderUpdateMethod extends SQLiteRunner {
 private class ContentProviderDeleteMethod extends SQLiteRunner {
   ContentProviderDeleteMethod() {
     // delete(Uri uri, String selection, String[] selectionArgs)
-    this.getDeclaringType() instanceof AndroidContentProvider and
+    (
+      this.getDeclaringType() instanceof AndroidContentProvider or
+      this.getDeclaringType() instanceof AndroidContentResolver
+    ) and
     this.hasName("delete") and
     this.getNumberOfParameters() = 3
   }
@@ -199,7 +202,10 @@ private class ContentProviderQueryMethod extends SQLiteRunner {
   ContentProviderQueryMethod() {
     // query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
     // query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
-    this.getDeclaringType() instanceof AndroidContentProvider and
+    (
+      this.getDeclaringType() instanceof AndroidContentProvider or
+      this.getDeclaringType() instanceof AndroidContentResolver
+    ) and
     this.hasName("query") and
     this.getNumberOfParameters() = [5, 6]
   }
@@ -210,7 +216,10 @@ private class ContentProviderQueryMethod extends SQLiteRunner {
 private class ContentProviderUpdateMethod extends SQLiteRunner {
   ContentProviderUpdateMethod() {
     // update(Uri uri, ContentValues values, String selection, String[] selectionArgs)
-    this.getDeclaringType() instanceof AndroidContentProvider and
+    (
+      this.getDeclaringType() instanceof AndroidContentProvider or
+      this.getDeclaringType() instanceof AndroidContentResolver
+    ) and
     this.hasName("update") and
     this.getNumberOfParameters() = 4
   }