mirror of
https://github.com/github/codeql.git
synced 2026-02-28 21:03:50 +01:00
Java: android add taint and SQL sink for ContentProvider/Resolver
This commit is contained in:
@@ -592,6 +592,15 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
|
||||
arg = [0 .. method.getNumberOfParameters()] and
|
||||
arg != 3
|
||||
)
|
||||
or
|
||||
(
|
||||
method.getDeclaringType() instanceof AndroidContentProvider or
|
||||
method.getDeclaringType() instanceof AndroidContentResolver
|
||||
) and
|
||||
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
|
||||
// Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
|
||||
method.hasName("query") and
|
||||
arg = 0
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -14,7 +14,8 @@ class AndroidComponent extends Class {
|
||||
this.getASupertype*().hasQualifiedName("android.app", "Activity") or
|
||||
this.getASupertype*().hasQualifiedName("android.app", "Service") or
|
||||
this.getASupertype*().hasQualifiedName("android.content", "BroadcastReceiver") or
|
||||
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
|
||||
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider") or
|
||||
this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
|
||||
}
|
||||
|
||||
/** The XML element corresponding to this Android component. */
|
||||
@@ -52,3 +53,10 @@ class AndroidContentProvider extends AndroidComponent {
|
||||
this.getASupertype*().hasQualifiedName("android.content", "ContentProvider")
|
||||
}
|
||||
}
|
||||
|
||||
/** An Android content resolver. */
|
||||
class AndroidContentResolver extends AndroidComponent {
|
||||
AndroidContentResolver() {
|
||||
this.getASupertype*().hasQualifiedName("android.content", "ContentResolver")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -187,7 +187,10 @@ private class QueryBuilderUpdateMethod extends SQLiteRunner {
|
||||
private class ContentProviderDeleteMethod extends SQLiteRunner {
|
||||
ContentProviderDeleteMethod() {
|
||||
// delete(Uri uri, String selection, String[] selectionArgs)
|
||||
this.getDeclaringType() instanceof AndroidContentProvider and
|
||||
(
|
||||
this.getDeclaringType() instanceof AndroidContentProvider or
|
||||
this.getDeclaringType() instanceof AndroidContentResolver
|
||||
) and
|
||||
this.hasName("delete") and
|
||||
this.getNumberOfParameters() = 3
|
||||
}
|
||||
@@ -199,7 +202,10 @@ private class ContentProviderQueryMethod extends SQLiteRunner {
|
||||
ContentProviderQueryMethod() {
|
||||
// query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder, CancellationSignal cancellationSignal)
|
||||
// query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder)
|
||||
this.getDeclaringType() instanceof AndroidContentProvider and
|
||||
(
|
||||
this.getDeclaringType() instanceof AndroidContentProvider or
|
||||
this.getDeclaringType() instanceof AndroidContentResolver
|
||||
) and
|
||||
this.hasName("query") and
|
||||
this.getNumberOfParameters() = [5, 6]
|
||||
}
|
||||
@@ -210,7 +216,10 @@ private class ContentProviderQueryMethod extends SQLiteRunner {
|
||||
private class ContentProviderUpdateMethod extends SQLiteRunner {
|
||||
ContentProviderUpdateMethod() {
|
||||
// update(Uri uri, ContentValues values, String selection, String[] selectionArgs)
|
||||
this.getDeclaringType() instanceof AndroidContentProvider and
|
||||
(
|
||||
this.getDeclaringType() instanceof AndroidContentProvider or
|
||||
this.getDeclaringType() instanceof AndroidContentResolver
|
||||
) and
|
||||
this.hasName("update") and
|
||||
this.getNumberOfParameters() = 4
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user