Add AsyncTask value step

2026-05-04 05:05:12 +02:00 · 2021-11-15 16:13:36 +01:00
parent a40a393b38
commit 87ebcea913
7 changed files with 101 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
@@ -11,6 +11,7 @@ private import semmle.code.java.dataflow.DataFlow
 */
 private module Frameworks {
  private import semmle.code.java.frameworks.jackson.JacksonSerializability
+  private import semmle.code.java.frameworks.android.AsyncTask
  private import semmle.code.java.frameworks.android.Intent
  private import semmle.code.java.frameworks.android.SQLite
  private import semmle.code.java.frameworks.Guice
--- a/java/ql/lib/semmle/code/java/frameworks/android/AsyncTask.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/android/AsyncTask.qll
@@ -0,0 +1,52 @@
+/** Provides classes and predicates to reason about `AsyncTask`s in Android. */
+
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSteps
+
+/**
+ * Models the value-preserving step from `asyncTask.execute(params)` to `AsyncTask::doInBackground(params)`.
+ */
+private class AsyncTaskAdditionalValueStep extends AdditionalValueStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(ExecuteAsyncTaskMethodAccess ma, AsyncTaskRunInBackgroundMethod m |
+      DataFlow::getInstanceArgument(ma).getType() = m.getDeclaringType() and
+      node1.asExpr() = ma.getParamsArgument() and
+      node2.asParameter() = m.getParameter(0)
+    )
+  }
+}
+
+/**
+ * The Android class `android.os.AsyncTask`.
+ */
+private class AsyncTask extends RefType {
+  AsyncTask() { this.hasQualifiedName("android.os", "AsyncTask") }
+}
+
+/** A call to the `execute` or `executeOnExecutor` methods of the `android.os.AsyncTask` class. */
+private class ExecuteAsyncTaskMethodAccess extends MethodAccess {
+  Argument paramsArgument;
+
+  ExecuteAsyncTaskMethodAccess() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof AsyncTask
+    |
+      m.getName() = "execute" and not m.isStatic() and paramsArgument = this.getArgument(0)
+      or
+      m.getName() = "executeOnExecutor" and paramsArgument = this.getArgument(1)
+    )
+  }
+
+  /** Returns the `params` argument of this call. */
+  Argument getParamsArgument() { result = paramsArgument }
+}
+
+/** The `doInBackground` method of the `android.os.AsyncTask` class. */
+private class AsyncTaskRunInBackgroundMethod extends Method {
+  AsyncTaskRunInBackgroundMethod() {
+    this.getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof AsyncTask and
+    this.getName() = "doInBackground"
+  }
+}