hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-28 21:03:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: android add taint and SQL sink for ContentProvider/Resolver

Browse Source
This commit is contained in:
Arthur Baars
2020-09-29 18:10:05 +02:00
parent efd5b6ff66
commit 449fb24ef6
3 changed files with 30 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -592,6 +592,15 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
arg = [0 .. method.getNumberOfParameters()] and
arg != 3
)
or
(
method.getDeclaringType() instanceof AndroidContentProvider or
method.getDeclaringType() instanceof AndroidContentResolver
) and
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
method.hasName("query") and
arg = 0
}
/**

10
java/ql/src/semmle/code/java/frameworks/android/Android.qll
View File

@@ -14,7 +14,8 @@ class AndroidComponent extends Class {
this.getASupertype*().hasQualifiedName("android.app", "Activity") or
this.getASupertype*().hasQualifiedName("android.app", "Service") or
this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver") or
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider") or
this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
}
/** The XML element corresponding to this Android component. */
@@ -52,3 +53,10 @@ class AndroidContentProvider extends AndroidComponent {
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
}
}
/** An Android content resolver. */
class AndroidContentResolver extends AndroidComponent {
AndroidContentResolver() {
this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
}
}

15
java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
View File

@@ -187,7 +187,10 @@ private class QueryBuilderUpdateMethod extends SQLiteRunner {
private class ContentProviderDeleteMethod extends SQLiteRunner {
ContentProviderDeleteMethod() {
// delete(Uri uri, String selection, String[] selectionArgs)
this.getDeclaringType() instanceof AndroidContentProvider and
(
this.getDeclaringType() instanceof AndroidContentProvider or
this.getDeclaringType() instanceof AndroidContentResolver
) and
this.hasName("delete") and
this.getNumberOfParameters() = 3
}
@@ -199,7 +202,10 @@ private class ContentProviderQueryMethod extends SQLiteRunner {
ContentProviderQueryMethod() {
// query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
// query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
this.getDeclaringType() instanceof AndroidContentProvider and
(
this.getDeclaringType() instanceof AndroidContentProvider or
this.getDeclaringType() instanceof AndroidContentResolver
) and
this.hasName("query") and
this.getNumberOfParameters() = [5, 6]
}
@@ -210,7 +216,10 @@ private class ContentProviderQueryMethod extends SQLiteRunner {
private class ContentProviderUpdateMethod extends SQLiteRunner {
ContentProviderUpdateMethod() {
// update(Uri uri, ContentValues values, String selection, String[] selectionArgs)
this.getDeclaringType() instanceof AndroidContentProvider and
(
this.getDeclaringType() instanceof AndroidContentProvider or
this.getDeclaringType() instanceof AndroidContentResolver
) and
this.hasName("update") and
this.getNumberOfParameters() = 4
}