Add Fragment injection query

2026-05-05 13:45:19 +02:00 · 2021-10-20 12:03:23 +02:00
parent efb471687c
commit 701d12fb5b
12 changed files with 275 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-470/AndroidManifest.xml
+++ b/java/ql/test/query-tests/security/CWE-470/AndroidManifest.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:versionCode="1"
+    android:versionName="1.0"
+    package="com.example.myapp">
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:label="@string/app_name"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme">
+
+        <activity android:name=".MainActivity">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+</manifest>
--- a/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.expected
+++ b/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.expected
--- a/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.ql
+++ b/java/ql/test/query-tests/security/CWE-470/FragmentInjectionTest.ql
@@ -0,0 +1,11 @@
+import java
+import semmle.code.java.security.FragmentInjectionQuery
+import TestUtilities.InlineFlowTest
+
+class Test extends InlineFlowTest {
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+
+  override TaintTracking::Configuration getTaintFlowConfig() {
+    result instanceof FragmentInjectionTaintConf
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-470/MainActivity.java
+++ b/java/ql/test/query-tests/security/CWE-470/MainActivity.java
@@ -0,0 +1,39 @@
+package com.example.myapp;
+
+import android.app.Fragment;
+import android.os.Bundle;
+import android.view.LayoutInflater;
+import android.view.View;
+import android.view.ViewGroup;
+import android.widget.Button;
+import androidx.fragment.app.FragmentActivity;
+import androidx.fragment.app.FragmentTransaction;
+
+public class MainActivity extends FragmentActivity {
+
+    @Override
+    protected void onCreate(Bundle savedInstance) {
+        try {
+            super.onCreate(savedInstance);
+            final String fname = getIntent().getStringExtra("fname");
+            FragmentTransaction ft = getSupportFragmentManager().beginTransaction();
+            Class<Fragment> fClass = (Class<Fragment>) Class.forName(fname);
+            ft.add(fClass.newInstance(), ""); // $ hasTaintFlow
+            ft.add(0, Fragment.instantiate(this, fname), null); // $ hasTaintFlow
+            ft.add(0, Fragment.instantiate(this, fname, null)); // $ hasTaintFlow
+            ft.add(0, fClass, null, ""); // $ hasTaintFlow
+            ft.add(0, fClass.newInstance(), ""); // $ hasTaintFlow
+            ft.attach(fClass.newInstance()); // $ hasTaintFlow
+            ft.replace(0, fClass, null); // $ hasTaintFlow
+            ft.replace(0, fClass.newInstance()); // $ hasTaintFlow
+            ft.replace(0, fClass, null, ""); // $ hasTaintFlow
+            ft.replace(0, fClass.newInstance(), ""); // $ hasTaintFlow
+
+            ft.add(Fragment.class.newInstance(), ""); // Safe
+            ft.attach(Fragment.class.newInstance()); // Safe
+            ft.replace(0, Fragment.class.newInstance(), ""); // Safe
+        } catch (Exception e) {
+        }
+    }
+
+}
--- a/java/ql/test/query-tests/security/CWE-470/options
+++ b/java/ql/test/query-tests/security/CWE-470/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0`