Java: tests for android database sinks

java/ql/test/library-tests/frameworks/android/taint-database/Sinks.java

@@ -0,0 +1,359 @@
+import android.content.ContentProvider;
+import android.content.ContentResolver;
+import android.content.ContentValues;
+import android.content.Context;
+import android.database.DatabaseUtils;
+import android.database.sqlite.SQLiteDatabase;
+import android.database.sqlite.SQLiteQueryBuilder;
+import android.net.Uri;
+import android.os.CancellationSignal;
+
+public class Sinks {
+	public static <T> T taint() {
+		return null;
+	}
+
+	private static abstract class MyContentProvider extends ContentProvider {
+		// Dummy class to test for sub classes
+	}
+
+	private static abstract class MyContentResolver extends ContentResolver {
+		// Dummy class to test for sub classes
+	}
+	private static abstract class MySQLiteQueryBuilder extends SQLiteQueryBuilder {
+		// Dummy class to test for sub classes
+	}
+
+	public static void compileStatement(SQLiteDatabase target) {
+		String sql = taint();
+		target.compileStatement(sql);
+	}
+
+	public static void delete1(MySQLiteQueryBuilder target) {
+		target = taint();;
+		SQLiteDatabase db = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		target.delete(db, selection, selectionArgs);
+	}
+
+	public static void delete(SQLiteDatabase target) {
+		String table = taint();
+		String whereClause = taint();
+		String[] whereArgs = taint();
+		target.delete(table, whereClause, whereArgs);
+	}
+
+	public static void delete(MyContentResolver target) {
+		Uri uri = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		target.delete(uri, selection, selectionArgs);
+	}
+
+	public static void delete(MyContentProvider target) {
+		Uri uri = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		target.delete(uri, selection, selectionArgs);
+	}
+
+	public static void execPerConnectionSQL(SQLiteDatabase target) {
+		String sql = taint();
+		Object[] bindArgs = taint();
+		target.execPerConnectionSQL(sql, bindArgs);
+	}
+
+	public static void execSQL(SQLiteDatabase target) {
+		String sql = taint();
+		target.execSQL(sql);
+	}
+
+	public static void execSQL2(SQLiteDatabase target) {
+		String sql = taint();
+		Object[] bindArgs = taint();
+		target.execSQL(sql, bindArgs);
+	}
+
+	public static void insert(MySQLiteQueryBuilder target) {
+		target = taint();;
+		SQLiteDatabase db = taint();
+		ContentValues values = taint();
+		target.insert(db, values);
+	}
+
+	public static void query(SQLiteDatabase target) {
+		boolean distinct = taint();
+		String table = taint();
+		String[] columns = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String orderBy = taint();
+		String limit = taint();
+		target.query(distinct, table, columns, selection, selectionArgs, groupBy, having, orderBy, limit);
+	}
+
+	public static void query2(SQLiteDatabase target) {
+		boolean distinct = taint();
+		String table = taint();
+		String[] columns = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String orderBy = taint();
+		String limit = taint();
+		CancellationSignal cancellationSignal = taint();
+		target.query(distinct, table, columns, selection, selectionArgs, groupBy, having, orderBy, limit,
+				cancellationSignal);
+	}
+
+	public static void query3(SQLiteDatabase target) {
+		String table = taint();
+		String[] columns = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String orderBy = taint();
+		target.query(table, columns, selection, selectionArgs, groupBy, having, orderBy);
+	}
+
+	public static void query4(SQLiteDatabase target) {
+		String table = taint();
+		String[] columns = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String orderBy = taint();
+		String limit = taint();
+		target.query(table, columns, selection, selectionArgs, groupBy, having, orderBy, limit);
+	}
+
+	public static void query(MySQLiteQueryBuilder target) {
+		target = taint();;
+		SQLiteDatabase db = taint();
+		String[] projectionIn = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String sortOrder = taint();
+		target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder);
+	}
+
+	public static void query2(MySQLiteQueryBuilder target) {
+		target = taint();;
+		SQLiteDatabase db = taint();
+		String[] projectionIn = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String sortOrder = taint();
+		String limit = taint();
+		target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit);
+	}
+
+	public static void query3(MySQLiteQueryBuilder target) {
+		target = taint();;
+		SQLiteDatabase db = taint();
+		String[] projectionIn = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String sortOrder = taint();
+		String limit = taint();
+		CancellationSignal cancellationSignal = taint();
+		target.query(db, projectionIn, selection, selectionArgs, groupBy, having, sortOrder, limit, cancellationSignal);
+	}
+
+	public static void query3(MyContentProvider target) {
+		Uri uri = taint();
+		String[] projection = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String sortOrder = taint();
+		target.query(uri, projection, selection, selectionArgs, sortOrder);
+	}
+
+	public static void query(MyContentProvider target) {
+		Uri uri = taint();
+		String[] projection = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String sortOrder = taint();
+		CancellationSignal cancellationSignal = taint();
+		target.query(uri, projection, selection, selectionArgs, sortOrder, cancellationSignal);
+	}
+
+	public static void query3(MyContentResolver target) {
+		Uri uri = taint();
+		String[] projection = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String sortOrder = taint();
+		target.query(uri, projection, selection, selectionArgs, sortOrder);
+	}
+
+	public static void query(MyContentResolver target) {
+		Uri uri = taint();
+		String[] projection = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String sortOrder = taint();
+		CancellationSignal cancellationSignal = taint();
+		target.query(uri, projection, selection, selectionArgs, sortOrder, cancellationSignal);
+	}
+
+	public static void queryWithFactory(SQLiteDatabase target) {
+		SQLiteDatabase.CursorFactory cursorFactory = taint();
+		boolean distinct = taint();
+		String table = taint();
+		String[] columns = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String orderBy = taint();
+		String limit = taint();
+		target.queryWithFactory(cursorFactory, distinct, table, columns, selection, selectionArgs, groupBy, having,
+				orderBy, limit);
+	}
+
+	public static void queryWithFactory2(SQLiteDatabase target) {
+		SQLiteDatabase.CursorFactory cursorFactory = taint();
+		boolean distinct = taint();
+		String table = taint();
+		String[] columns = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		String groupBy = taint();
+		String having = taint();
+		String orderBy = taint();
+		String limit = taint();
+		CancellationSignal cancellationSignal = taint();
+		target.queryWithFactory(cursorFactory, distinct, table, columns, selection, selectionArgs, groupBy, having,
+				orderBy, limit, cancellationSignal);
+	}
+
+	public static void rawQuery(SQLiteDatabase target) {
+		String sql = taint();
+		String[] selectionArgs = taint();
+		target.rawQuery(sql, selectionArgs);
+	}
+
+	public static void rawQuery2(SQLiteDatabase target) {
+		String sql = taint();
+		String[] selectionArgs = taint();
+		CancellationSignal cancellationSignal = taint();
+		target.rawQuery(sql, selectionArgs, cancellationSignal);
+	}
+
+	public static void rawQueryWithFactory(SQLiteDatabase target) {
+		SQLiteDatabase.CursorFactory cursorFactory = taint();
+		String sql = taint();
+		String[] selectionArgs = taint();
+		String editTable = taint();
+		target.rawQueryWithFactory(cursorFactory, sql, selectionArgs, editTable);
+	}
+
+	public static void rawQueryWithFactory2(SQLiteDatabase target) {
+		SQLiteDatabase.CursorFactory cursorFactory = taint();
+		String sql = taint();
+		String[] selectionArgs = taint();
+		String editTable = taint();
+		CancellationSignal cancellationSignal = taint();
+		target.rawQueryWithFactory(cursorFactory, sql, selectionArgs, editTable, cancellationSignal);
+	}
+
+	public static void update(MySQLiteQueryBuilder target) {
+		target = taint();;
+		SQLiteDatabase db = taint();
+		ContentValues values = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		target.update(db, values, selection, selectionArgs);
+	}
+
+	public static void update(SQLiteDatabase target) {
+		String table = taint();
+		ContentValues values = taint();
+		String whereClause = taint();
+		String[] whereArgs = taint();
+		target.update(table, values, whereClause, whereArgs);
+	}
+
+	public static void update(MyContentResolver target) {
+		Uri uri = taint();
+		ContentValues values = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		target.update(uri, values, selection, selectionArgs);
+	}
+
+	public static void update(MyContentProvider target) {
+		Uri uri = taint();
+		ContentValues values = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		target.update(uri, values, selection, selectionArgs);
+	}
+
+	public static void updateWithOnConflict(SQLiteDatabase target) {
+		String table = taint();
+		ContentValues values = taint();
+		String whereClause = taint();
+		String[] whereArgs = taint();
+		int conflictAlgorithm = taint();
+		target.updateWithOnConflict(table, values, whereClause, whereArgs, conflictAlgorithm);
+	}
+
+	public static void queryNumEntries() {
+		SQLiteDatabase db = taint();
+		String table = taint();
+		String selection = taint();
+		DatabaseUtils.queryNumEntries(db, table, selection);
+	}
+
+	public static void queryNumEntries2() {
+		SQLiteDatabase db = taint();
+		String table = taint();
+		String selection = taint();
+		String[] selectionArgs = taint();
+		DatabaseUtils.queryNumEntries(db, table, selection, selectionArgs);
+	}
+
+	public static void createDbFromSqlStatements() {
+		Context context = taint();
+		String dbName = taint();
+		int dbVersion = taint();
+		String sqlStatements = taint();
+		DatabaseUtils.createDbFromSqlStatements(context, dbName, dbVersion, sqlStatements);
+	}
+
+	public static void blobFileDescriptorForQuery() {
+		SQLiteDatabase db = taint();
+		String query = taint();
+		String[] selectionArgs = taint();
+		DatabaseUtils.blobFileDescriptorForQuery(db, query, selectionArgs);
+	}
+
+	public static void longForQuery() {
+		SQLiteDatabase db = taint();
+		String query = taint();
+		String[] selectionArgs = taint();
+		DatabaseUtils.longForQuery(db, query, selectionArgs);
+	}
+
+	public static void stringForQuery() {
+		SQLiteDatabase db = taint();
+		String query = taint();
+		String[] selectionArgs = taint();
+		DatabaseUtils.stringForQuery(db, query, selectionArgs);
+	}
+}

java/ql/test/library-tests/frameworks/android/taint-database/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/android

java/ql/test/library-tests/frameworks/android/taint-database/sinks.expected

@@ -0,0 +1,74 @@
+| Sinks.java:29:27:29:29 | sql |
+| Sinks.java:37:3:37:8 | target |
+| Sinks.java:37:21:37:29 | selection |
+| Sinks.java:44:24:44:34 | whereClause |
+| Sinks.java:51:22:51:30 | selection |
+| Sinks.java:58:22:58:30 | selection |
+| Sinks.java:64:31:64:33 | sql |
+| Sinks.java:69:18:69:20 | sql |
+| Sinks.java:75:18:75:20 | sql |
+| Sinks.java:82:3:82:8 | target |
+| Sinks.java:95:42:95:50 | selection |
+| Sinks.java:95:68:95:74 | groupBy |
+| Sinks.java:95:77:95:82 | having |
+| Sinks.java:95:85:95:91 | orderBy |
+| Sinks.java:95:94:95:98 | limit |
+| Sinks.java:109:42:109:50 | selection |
+| Sinks.java:109:68:109:74 | groupBy |
+| Sinks.java:109:77:109:82 | having |
+| Sinks.java:109:85:109:91 | orderBy |
+| Sinks.java:109:94:109:98 | limit |
+| Sinks.java:121:32:121:40 | selection |
+| Sinks.java:121:58:121:64 | groupBy |
+| Sinks.java:121:67:121:72 | having |
+| Sinks.java:121:75:121:81 | orderBy |
+| Sinks.java:133:32:133:40 | selection |
+| Sinks.java:133:58:133:64 | groupBy |
+| Sinks.java:133:67:133:72 | having |
+| Sinks.java:133:75:133:81 | orderBy |
+| Sinks.java:133:84:133:88 | limit |
+| Sinks.java:145:3:145:8 | target |
+| Sinks.java:145:45:145:57 | selectionArgs |
+| Sinks.java:145:69:145:74 | having |
+| Sinks.java:145:77:145:85 | sortOrder |
+| Sinks.java:158:3:158:8 | target |
+| Sinks.java:158:45:158:57 | selectionArgs |
+| Sinks.java:158:69:158:74 | having |
+| Sinks.java:158:77:158:85 | sortOrder |
+| Sinks.java:158:88:158:92 | limit |
+| Sinks.java:172:3:172:8 | target |
+| Sinks.java:172:45:172:57 | selectionArgs |
+| Sinks.java:172:69:172:74 | having |
+| Sinks.java:172:77:172:85 | sortOrder |
+| Sinks.java:172:88:172:92 | limit |
+| Sinks.java:172:95:172:112 | cancellationSignal |
+| Sinks.java:181:33:181:41 | selection |
+| Sinks.java:191:33:191:41 | selection |
+| Sinks.java:200:33:200:41 | selection |
+| Sinks.java:210:33:210:41 | selection |
+| Sinks.java:224:68:224:76 | selection |
+| Sinks.java:224:94:224:100 | groupBy |
+| Sinks.java:224:103:224:108 | having |
+| Sinks.java:225:5:225:11 | orderBy |
+| Sinks.java:225:14:225:18 | limit |
+| Sinks.java:240:68:240:76 | selection |
+| Sinks.java:240:94:240:100 | groupBy |
+| Sinks.java:240:103:240:108 | having |
+| Sinks.java:241:5:241:11 | orderBy |
+| Sinks.java:241:14:241:18 | limit |
+| Sinks.java:247:19:247:21 | sql |
+| Sinks.java:254:19:254:21 | sql |
+| Sinks.java:262:45:262:47 | sql |
+| Sinks.java:271:45:271:47 | sql |
+| Sinks.java:280:3:280:8 | target |
+| Sinks.java:280:29:280:37 | selection |
+| Sinks.java:288:32:288:42 | whereClause |
+| Sinks.java:296:30:296:38 | selection |
+| Sinks.java:304:30:304:38 | selection |
+| Sinks.java:313:46:313:56 | whereClause |
+| Sinks.java:320:44:320:52 | selection |
+| Sinks.java:328:44:328:52 | selection |
+| Sinks.java:336:71:336:83 | sqlStatements |
+| Sinks.java:343:48:343:52 | query |
+| Sinks.java:350:34:350:38 | query |
+| Sinks.java:357:36:357:40 | query |

java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql

@@ -0,0 +1,5 @@
+import semmle.code.java.security.QueryInjection
+
+from QueryInjectionSink sink
+where sink.getLocation().getFile().getBaseName() = "Sinks.java"
+select sink