mirror of
https://github.com/github/codeql.git
synced 2026-04-29 10:45:15 +02:00
Adapt to use the new shared Intent models
This commit is contained in:
Chris Smowton
@@ -142,18 +142,25 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
|
||||
"android.os;Bundle;true;putStringArrayList;;;Argument[1];MapValue of Argument[-1];value",
|
||||
"android.os;Bundle;true;readFromParcel;;;Argument[0];MapKey of Argument[-1];taint",
|
||||
"android.os;Bundle;true;readFromParcel;;;Argument[0];MapValue of Argument[-1];taint",
|
||||
// currently only the Extras part of the intent is fully modelled
|
||||
// currently only the Extras part of the intent and the data field are fully modelled
|
||||
"android.content;Intent;false;Intent;(Intent);;MapKey of SyntheticField[android.content.Intent.extras] of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
|
||||
"android.content;Intent;false;Intent;(Intent);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
|
||||
"android.content;Intent;false;Intent;(String,Uri);;Argument[1];MapValue of SyntheticField[android.content.Intent.data] of Argument[-1];value",
|
||||
"android.content;Intent;false;Intent;(String,Uri,Context,Class);;Argument[1];MapValue of SyntheticField[android.content.Intent.data] of Argument[-1];value",
|
||||
"android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;false;createChooser;;;Argument[0..2];MapValue of SyntheticField[android.content.Intent.extras] of ReturnValue;value",
|
||||
"android.content;Intent;true;getBundleExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getByteArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getCharArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getCharSequenceArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getCharSequenceArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getCharSequenceExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getData;;;SyntheticField[android.content.Intent.data] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getDataString;;;SyntheticField[android.content.Intent.data] of Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;getExtras;();;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;false;getIntent;();;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];taint",
|
||||
"android.content;Intent;false;getIntentOld;();;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];taint",
|
||||
"android.content;Intent;true;getParcelableArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getParcelableArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getParcelableExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
@@ -161,6 +168,7 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
|
||||
"android.content;Intent;true;getStringArrayExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getStringArrayListExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;getStringExtra;(String);;MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;false;parseUri;();;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];taint",
|
||||
"android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
|
||||
"android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[1];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
|
||||
"android.content;Intent;true;putCharSequenceArrayListExtra;;;Argument[-1];ReturnValue;value",
|
||||
@@ -192,9 +200,13 @@ private class IntentBundleFlowSteps extends SummaryModelCsv {
|
||||
"android.content;Intent;true;setClassName;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;setComponent;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;setData;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;setData;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
|
||||
"android.content;Intent;true;setDataAndNormalize;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;setDataAndNormalize;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
|
||||
"android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;setDataAndType;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
|
||||
"android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;setDataAndTypeAndNormalize;;;Argument[0];SyntheticField[android.content.Intent.data] of Argument[-1];value",
|
||||
"android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;setIdentifier;;;Argument[-1];ReturnValue;value",
|
||||
"android.content;Intent;true;setPackage;;;Argument[-1];ReturnValue;value",
|
||||
|
||||
@@ -28,45 +28,6 @@ class GetContentIntent extends ClassInstanceExpr {
|
||||
}
|
||||
}
|
||||
|
||||
/** Android intent data model in the new CSV format. */
|
||||
private class AndroidIntentDataModel extends SummaryModelCsv {
|
||||
override predicate row(string row) {
|
||||
row =
|
||||
[
|
||||
"android.content;Intent;true;addCategory;;;Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;addFlags;;;Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;createChooser;;;Argument[0];ReturnValue;taint",
|
||||
"android.content;Intent;true;getData;;;Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;getDataString;;;Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;getExtras;;;Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;getIntent;;;Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;get" +
|
||||
[
|
||||
"ParcelableArray", "ParcelableArrayList", "Parcelable", "Serializable", "StringArray",
|
||||
"StringArrayList", "String"
|
||||
] + "Extra;;;Argument[-1..1];ReturnValue;taint",
|
||||
"android.content;Intent;true;put" +
|
||||
[
|
||||
"", "CharSequenceArrayList", "IntegerArrayList", "ParcelableArrayList",
|
||||
"StringArrayList"
|
||||
] + "Extra;;;Argument[1];Argument[-1];taint",
|
||||
"android.content;Intent;true;putExtras;;;Argument[1];Argument[-1];taint",
|
||||
"android.content;Intent;true;setData;;;Argument[0];ReturnValue;taint",
|
||||
"android.content;Intent;true;setDataAndType;;;Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;setFlags;;;Argument[-1];ReturnValue;taint",
|
||||
"android.content;Intent;true;setType;;;Argument[-1];ReturnValue;taint",
|
||||
"android.net;Uri;true;getEncodedPath;;;Argument[-1];ReturnValue;taint",
|
||||
"android.net;Uri;true;getEncodedQuery;;;Argument[-1];ReturnValue;taint",
|
||||
"android.net;Uri;true;getLastPathSegment;;;Argument[-1];ReturnValue;taint",
|
||||
"android.net;Uri;true;getPath;;;Argument[-1];ReturnValue;taint",
|
||||
"android.net;Uri;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
|
||||
"android.net;Uri;true;getQuery;;;Argument[-1];ReturnValue;taint",
|
||||
"android.net;Uri;true;getQueryParameter;;;Argument[-1];ReturnValue;taint",
|
||||
"android.net;Uri;true;getQueryParameters;;;Argument[-1];ReturnValue;taint"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
/** Taint configuration for getting content intent. */
|
||||
class GetContentIntentConfig extends TaintTracking2::Configuration {
|
||||
GetContentIntentConfig() { this = "GetContentIntentConfig" }
|
||||
@@ -80,6 +41,19 @@ class GetContentIntentConfig extends TaintTracking2::Configuration {
|
||||
ma.getMethod() instanceof StartActivityForResultMethod and sink.asExpr() = ma.getArgument(0)
|
||||
)
|
||||
}
|
||||
|
||||
override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content content) {
|
||||
super.allowImplicitRead(node, content)
|
||||
or
|
||||
// Allow the wrapped intent created by Intent.getChooser to be consumed
|
||||
// by at the sink:
|
||||
isSink(node) and
|
||||
(
|
||||
content.(DataFlow::SyntheticFieldContent).getField() = "android.content.Intent.extras"
|
||||
or
|
||||
content instanceof DataFlow::MapValueContent
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** Android `Intent` input to request file loading. */
|
||||
|
||||
@@ -14,6 +14,8 @@ import semmle.code.java.controlflow.Guards
|
||||
import AndroidFileIntentSink
|
||||
import AndroidFileIntentSource
|
||||
import DataFlow::PathGraph
|
||||
// For readStep, to implement `isAdditionalTaintStep`
|
||||
private import semmle.code.java.dataflow.internal.DataFlowPrivate
|
||||
|
||||
private class StartsWithSanitizer extends DataFlow::BarrierGuard {
|
||||
StartsWithSanitizer() { this.(MethodAccess).getMethod().hasName("startsWith") }
|
||||
@@ -64,6 +66,7 @@ class AndroidFileLeakConfig extends TaintTracking::Configuration {
|
||||
)
|
||||
or
|
||||
exists(MethodAccess csma, ServiceOnStartCommandMethod ssm, ClassInstanceExpr ce |
|
||||
// An intent passed to startService will later be passed to the onStartCommand event of the corresponding service
|
||||
csma.getMethod() instanceof ContextStartServiceMethod and
|
||||
ce.getConstructedType() instanceof TypeIntent and // Intent intent = new Intent(context, FileUploader.class);
|
||||
ce.getArgument(1).(TypeLiteral).getReferencedType() = ssm.getDeclaringType() and
|
||||
@@ -71,6 +74,11 @@ class AndroidFileLeakConfig extends TaintTracking::Configuration {
|
||||
prev.asExpr() = csma.getArgument(0) and
|
||||
succ.asParameter() = ssm.getParameter(0) // public int onStartCommand(Intent intent, int flags, int startId) {...} in FileUploader
|
||||
)
|
||||
or
|
||||
// When a whole Intent is tainted (e.g., due to this Configuration's source), treat its fields as tainted
|
||||
readStep(prev,
|
||||
any(DataFlow::SyntheticFieldContent c | c.getField().matches("android.content.Intent.%")),
|
||||
succ)
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
|
||||
|
||||
@@ -1,14 +1,20 @@
|
||||
edges
|
||||
| FileService.java:20:31:20:43 | intent : Intent | FileService.java:21:28:21:33 | intent : Intent |
|
||||
| FileService.java:20:31:20:43 | intent : Intent | FileService.java:25:42:25:50 | localPath : String |
|
||||
| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : String |
|
||||
| FileService.java:21:28:21:64 | getStringExtra(...) : String | FileService.java:25:42:25:50 | localPath : String |
|
||||
| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : Object |
|
||||
| FileService.java:21:28:21:64 | getStringExtra(...) : Object | FileService.java:25:42:25:50 | localPath : Object |
|
||||
| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | FileService.java:40:41:40:55 | params : Object[] |
|
||||
| FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
|
||||
| FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
|
||||
| FileService.java:25:42:25:50 | localPath : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object |
|
||||
| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object |
|
||||
| FileService.java:25:42:25:50 | localPath : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : String |
|
||||
| FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String |
|
||||
| FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:35:17:35:25 | sourceUri : Object |
|
||||
| FileService.java:32:13:32:28 | sourceUri : String | FileService.java:35:17:35:25 | sourceUri : String |
|
||||
| FileService.java:34:20:36:13 | {...} [[]] : Object | FileService.java:34:20:36:13 | new Object[] [[]] : Object |
|
||||
| FileService.java:34:20:36:13 | {...} [[]] : String | FileService.java:34:20:36:13 | new Object[] [[]] : String |
|
||||
| FileService.java:35:17:35:25 | sourceUri : Object | FileService.java:34:20:36:13 | {...} [[]] : Object |
|
||||
| FileService.java:35:17:35:25 | sourceUri : String | FileService.java:34:20:36:13 | {...} [[]] : String |
|
||||
| FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : Object |
|
||||
| FileService.java:44:33:44:52 | (...)... : Object | FileService.java:45:53:45:59 | ...[...] |
|
||||
@@ -16,19 +22,25 @@ edges
|
||||
| LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:20:31:20:43 | intent : Intent |
|
||||
| LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent |
|
||||
| LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent |
|
||||
| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Uri |
|
||||
| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri |
|
||||
| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | LeakFileActivity.java:21:58:21:82 | getPath(...) |
|
||||
| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Object |
|
||||
| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object |
|
||||
| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | LeakFileActivity.java:21:58:21:82 | getPath(...) |
|
||||
nodes
|
||||
| FileService.java:20:31:20:43 | intent : Intent | semmle.label | intent : Intent |
|
||||
| FileService.java:21:28:21:33 | intent : Intent | semmle.label | intent : Intent |
|
||||
| FileService.java:21:28:21:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
|
||||
| FileService.java:21:28:21:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
|
||||
| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | semmle.label | makeParamsToExecute(...) : Object[] |
|
||||
| FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object | semmle.label | makeParamsToExecute(...) [[]] : Object |
|
||||
| FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : String | semmle.label | makeParamsToExecute(...) [[]] : String |
|
||||
| FileService.java:25:42:25:50 | localPath : Object | semmle.label | localPath : Object |
|
||||
| FileService.java:25:42:25:50 | localPath : String | semmle.label | localPath : String |
|
||||
| FileService.java:32:13:32:28 | sourceUri : Object | semmle.label | sourceUri : Object |
|
||||
| FileService.java:32:13:32:28 | sourceUri : String | semmle.label | sourceUri : String |
|
||||
| FileService.java:34:20:36:13 | new Object[] [[]] : Object | semmle.label | new Object[] [[]] : Object |
|
||||
| FileService.java:34:20:36:13 | new Object[] [[]] : String | semmle.label | new Object[] [[]] : String |
|
||||
| FileService.java:34:20:36:13 | {...} [[]] : Object | semmle.label | {...} [[]] : Object |
|
||||
| FileService.java:34:20:36:13 | {...} [[]] : String | semmle.label | {...} [[]] : String |
|
||||
| FileService.java:35:17:35:25 | sourceUri : Object | semmle.label | sourceUri : Object |
|
||||
| FileService.java:35:17:35:25 | sourceUri : String | semmle.label | sourceUri : String |
|
||||
| FileService.java:40:41:40:55 | params : Object[] | semmle.label | params : Object[] |
|
||||
| FileService.java:44:33:44:52 | (...)... : Object | semmle.label | (...)... : Object |
|
||||
@@ -38,10 +50,11 @@ nodes
|
||||
| LeakFileActivity.java:14:35:14:38 | data : Intent | semmle.label | data : Intent |
|
||||
| LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | semmle.label | contentIntent : Intent |
|
||||
| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | semmle.label | contentIntent : Intent |
|
||||
| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | semmle.label | getData(...) : Uri |
|
||||
| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | semmle.label | streamsToUpload : Uri |
|
||||
| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | semmle.label | getData(...) : Object |
|
||||
| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | semmle.label | streamsToUpload : Object |
|
||||
| LeakFileActivity.java:21:58:21:82 | getPath(...) | semmle.label | getPath(...) |
|
||||
subpaths
|
||||
| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:34:20:36:13 | new Object[] [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object |
|
||||
| FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String | FileService.java:34:20:36:13 | new Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : String |
|
||||
#select
|
||||
| FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:15:13:15:18 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:15:13:15:18 | intent | this user input |
|
||||
|
||||
Reference in New Issue
Block a user