Improve AsyncTask data flow support

Model the life-cycle described here: https://developer.android.com/reference/android/os/AsyncTask\#the-4-steps
2026-05-05 13:45:19 +02:00 · 2022-08-05 10:16:30 +02:00
parent ba2cee07a9
commit 5ebce6ee4f
3 changed files with 102 additions and 22 deletions
--- a/java/ql/test/library-tests/frameworks/android/asynctask/Test.java
+++ b/java/ql/test/library-tests/frameworks/android/asynctask/Test.java
@@ -10,16 +10,19 @@ public class Test {

    public void test() {
        TestAsyncTask t = new TestAsyncTask();
-        t.execute(source("execute"));
-        t.executeOnExecutor(null, source("executeOnExecutor"));
+        t.execute(source("execute"), null);
+        t.executeOnExecutor(null, source("executeOnExecutor"), null);
        SafeAsyncTask t2 = new SafeAsyncTask();
        t2.execute("safe");
+        TestConstructorTask t3 = new TestConstructorTask(source("constructor"), "safe");
+        t3.execute(source("params"));
    }

    private class TestAsyncTask extends AsyncTask<Object, Object, Object> {
        @Override
        protected Object doInBackground(Object... params) {
-            sink(params); // $ hasValueFlow=execute hasValueFlow=executeOnExecutor
+            sink(params[0]); // $ hasTaintFlow=execute hasTaintFlow=executeOnExecutor
+            sink(params[1]); // $ SPURIOUS: hasTaintFlow=execute hasTaintFlow=executeOnExecutor
            return null;
        }
    }
@@ -27,8 +30,34 @@ public class Test {
    private class SafeAsyncTask extends AsyncTask<Object, Object, Object> {
        @Override
        protected Object doInBackground(Object... params) {
-            sink(params); // Safe
+            sink(params[0]); // Safe
            return null;
        }
    }
+
+    class TestConstructorTask extends AsyncTask<Object, Object, Object> {
+        private Object field;
+        private Object safeField;
+
+        public TestConstructorTask(Object field, Object safeField) {
+            this.field = field;
+            this.safeField = safeField;
+        }
+
+        @Override
+        protected Object doInBackground(Object... params) {
+            sink(params[0]); // $ hasTaintFlow=params
+            sink(field); // $ hasValueFlow=constructor
+            sink(safeField); // Safe
+            return params[0];
+        }
+
+        @Override
+        protected void onPostExecute(Object param) {
+            sink(param); // $ hasTaintFlow=params
+            sink(field); // $ hasValueFlow=constructor
+            sink(safeField); // Safe
+        }
+
+    }
 }