hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Propagate extras through build methods

Browse Source
This commit is contained in:
Tony Torralba
2021-12-09 14:56:52 +01:00
parent c0c40cc05b
commit 522a4bb9fa
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/lib/semmle/code/java/frameworks/android/Notifications.qll
View File

@@ -10,18 +10,21 @@ private class NotificationBuildersSummaryModels extends SummaryModelCsv {
row =
[
"android.app;Notification$Action;true;Action;(int,CharSequence,PendingIntent);;Argument[2];Argument[-1];taint",
"android.app;Notification$Action;true;getExtras;;;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
"android.app;Notification$Action$Builder;true;Builder;(int,CharSequence,PendingIntent);;Argument[2];Argument[-1];taint",
"android.app;Notification$Action$Builder;true;Builder;(Icon,CharSequence,PendingIntent);;Argument[2];Argument[-1];taint",
"android.app;Notification$Action$Builder;true;Builder;(Action);;Argument[0];Argument[-1];taint",
"android.app;Notification$Action$Builder;true;addExtras;;;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Action$Builder;true;addExtras;;;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Action$Builder;true;build;;;Argument[-1];ReturnValue;taint",
"android.app;Notification$Action$Builder;true;build;;;SyntheticField[android.content.Intent.extras] of Argument[-1];SyntheticField[android.content.Intent.extras] of ReturnValue;value",
"android.app;Notification$Action$Builder;true;getExtras;;;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
"android.app;Notification$Builder;true;addAction;(int,CharSequence,PendingIntent);;Argument[2];Argument[-1];taint",
"android.app;Notification$Builder;true;addAction;(Action);;Argument[0];Argument[-1];taint",
"android.app;Notification$Builder;true;addExtras;;;MapKey of Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Builder;true;addExtras;;;MapValue of Argument[0];MapValue of SyntheticField[android.content.Intent.extras] of Argument[-1];value",
"android.app;Notification$Builder;true;build;;;Argument[-1];ReturnValue;taint",
"android.app;Notification$Builder;true;build;;;SyntheticField[android.content.Intent.extras] of Argument[-1];Field[android.app.Notification.extras] of ReturnValue;value",
"android.app;Notification$Builder;true;setContentIntent;;;Argument[0];Argument[-1];taint",
"android.app;Notification$Builder;true;getExtras;;;SyntheticField[android.content.Intent.extras] of Argument[-1];ReturnValue;value",
"android.app;Notification$Builder;true;recoverBuilder;;;Argument[1];ReturnValue;taint",

20
java/ql/test/library-tests/frameworks/android/notification/Test.java
View File

@@ -101,6 +101,16 @@ public class Test {
out = in.build();
sink(out); // $ hasTaintFlow
}
{
// "android.app;Notification$Action$Builder;true;build;;;SyntheticField[android.content.Intent.extras]
// of Argument[-1];SyntheticField[android.content.Intent.extras] of ReturnValue;value"
Notification.Action out = null;
Notification.Action.Builder builder = null;
Bundle in = (Bundle) newWithMapValueDefault(source());
builder.addExtras(in);
out = builder.build();
sink(getMapValueDefault(out.getExtras())); // $ hasValueFlow
}
{
// "android.app;Notification$Action$Builder;true;extend;;;Argument[-1];ReturnValue;value"
Notification.Action.Builder out = null;
@@ -223,6 +233,16 @@ public class Test {
out = in.build();
sink(out); // $ hasTaintFlow
}
{
// "android.app;Notification$Builder;true;build;;;SyntheticField[android.content.Intent.extras]
// of Argument[-1];Field[android.app.Notification.extras] of ReturnValue;value"
Notification out = null;
Notification.Builder builder = null;
Bundle in = (Bundle) newWithMapValueDefault(source());
builder.addExtras(in);
out = builder.build();
sink(getMapValueDefault(out.extras)); // $ hasValueFlow
}
{
// "android.app;Notification$Builder;true;extend;;;Argument[-1];ReturnValue;value"
Notification.Builder out = null;