hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: convert IntentUriPermissionManipulation test to .qlref

Browse Source
This commit is contained in:
Nora Dimitrijević
2025-06-23 12:45:56 +02:00
parent c77875d834
commit b736e3733c
4 changed files with 64 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.expected
View File

@@ -0,0 +1,43 @@
#select
| MainActivity.java:13:34:13:39 | intent | MainActivity.java:12:29:12:39 | getIntent(...) : Intent | MainActivity.java:13:34:13:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:12:29:12:39 | getIntent(...) | user-provided value |
| MainActivity.java:17:34:17:44 | extraIntent | MainActivity.java:16:43:16:53 | getIntent(...) : Intent | MainActivity.java:17:34:17:44 | extraIntent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:16:43:16:53 | getIntent(...) | user-provided value |
| MainActivity.java:33:34:33:39 | intent | MainActivity.java:30:29:30:39 | getIntent(...) : Intent | MainActivity.java:33:34:33:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:30:29:30:39 | getIntent(...) | user-provided value |
| MainActivity.java:46:34:46:39 | intent | MainActivity.java:42:29:42:39 | getIntent(...) : Intent | MainActivity.java:46:34:46:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:42:29:42:39 | getIntent(...) | user-provided value |
| MainActivity.java:52:34:52:39 | intent | MainActivity.java:49:29:49:39 | getIntent(...) : Intent | MainActivity.java:52:34:52:39 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:49:29:49:39 | getIntent(...) | user-provided value |
| MainActivity.java:60:38:60:43 | intent | MainActivity.java:55:29:55:39 | getIntent(...) : Intent | MainActivity.java:60:38:60:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:55:29:55:39 | getIntent(...) | user-provided value |
| MainActivity.java:71:38:71:43 | intent | MainActivity.java:64:29:64:39 | getIntent(...) : Intent | MainActivity.java:71:38:71:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:64:29:64:39 | getIntent(...) | user-provided value |
| MainActivity.java:81:38:81:43 | intent | MainActivity.java:75:29:75:39 | getIntent(...) : Intent | MainActivity.java:81:38:81:43 | intent | This Intent can be set with arbitrary flags from a $@, and used to give access to internal content providers. | MainActivity.java:75:29:75:39 | getIntent(...) | user-provided value |
edges
| MainActivity.java:12:29:12:39 | getIntent(...) : Intent | MainActivity.java:13:34:13:39 | intent | provenance | Sink:MaD:1 |
| MainActivity.java:16:34:16:87 | (...)... : Intent | MainActivity.java:17:34:17:44 | extraIntent | provenance | Sink:MaD:1 |
| MainActivity.java:16:43:16:53 | getIntent(...) : Intent | MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | provenance | MaD:2 |
| MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | MainActivity.java:16:34:16:87 | (...)... : Intent | provenance | |
| MainActivity.java:30:29:30:39 | getIntent(...) : Intent | MainActivity.java:33:34:33:39 | intent | provenance | Sink:MaD:1 |
| MainActivity.java:42:29:42:39 | getIntent(...) : Intent | MainActivity.java:46:34:46:39 | intent | provenance | Sink:MaD:1 |
| MainActivity.java:49:29:49:39 | getIntent(...) : Intent | MainActivity.java:52:34:52:39 | intent | provenance | Sink:MaD:1 |
| MainActivity.java:55:29:55:39 | getIntent(...) : Intent | MainActivity.java:60:38:60:43 | intent | provenance | Sink:MaD:1 |
| MainActivity.java:64:29:64:39 | getIntent(...) : Intent | MainActivity.java:71:38:71:43 | intent | provenance | Sink:MaD:1 |
| MainActivity.java:75:29:75:39 | getIntent(...) : Intent | MainActivity.java:81:38:81:43 | intent | provenance | Sink:MaD:1 |
models
| 1 | Sink: android.app; Activity; true; setResult; (int,Intent); ; Argument[1]; pending-intents; manual |
| 2 | Summary: android.content; Intent; true; getParcelableExtra; (String); ; Argument[this].SyntheticField[android.content.Intent.extras].MapValue; ReturnValue; value; manual |
nodes
| MainActivity.java:12:29:12:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| MainActivity.java:13:34:13:39 | intent | semmle.label | intent |
| MainActivity.java:16:34:16:87 | (...)... : Intent | semmle.label | (...)... : Intent |
| MainActivity.java:16:43:16:53 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| MainActivity.java:16:43:16:87 | getParcelableExtra(...) : Parcelable | semmle.label | getParcelableExtra(...) : Parcelable |
| MainActivity.java:17:34:17:44 | extraIntent | semmle.label | extraIntent |
| MainActivity.java:30:29:30:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| MainActivity.java:33:34:33:39 | intent | semmle.label | intent |
| MainActivity.java:42:29:42:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| MainActivity.java:46:34:46:39 | intent | semmle.label | intent |
| MainActivity.java:49:29:49:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| MainActivity.java:52:34:52:39 | intent | semmle.label | intent |
| MainActivity.java:55:29:55:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| MainActivity.java:60:38:60:43 | intent | semmle.label | intent |
| MainActivity.java:64:29:64:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| MainActivity.java:71:38:71:43 | intent | semmle.label | intent |
| MainActivity.java:75:29:75:39 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
| MainActivity.java:81:38:81:43 | intent | semmle.label | intent |
subpaths

4
java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.ql
View File

@@ -1,4 +0,0 @@
import java
import utils.test.InlineFlowTest
import semmle.code.java.security.IntentUriPermissionManipulationQuery
import TaintFlowTest<IntentUriPermissionManipulationConfig>

4
java/ql/test/query-tests/security/CWE-266/IntentUriPermissionManipulationTest.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql

34
java/ql/test/query-tests/security/CWE-266/MainActivity.java
View File

@@ -9,12 +9,12 @@ public class MainActivity extends Activity {
public void onCreate(Bundle savedInstance) {
{
Intent intent = getIntent();
setResult(RESULT_OK, intent); // $ hasTaintFlow
Intent intent = getIntent(); // $ Source
setResult(RESULT_OK, intent); // $ Alert
}
{
Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent");
setResult(RESULT_OK, extraIntent); // $ hasTaintFlow
Intent extraIntent = (Intent) getIntent().getParcelableExtra("extraIntent"); // $ Source
setResult(RESULT_OK, extraIntent); // $ Alert
}
{
Intent intent = getIntent();
@@ -27,10 +27,10 @@ public class MainActivity extends Activity {
setResult(RESULT_OK, intent); // Safe
}
{
Intent intent = getIntent();
Intent intent = getIntent(); // $ Source
intent.setFlags( // Not properly sanitized
Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_ACTIVITY_CLEAR_TOP);
setResult(RESULT_OK, intent); // $ hasTaintFlow
setResult(RESULT_OK, intent); // $ Alert
}
{
Intent intent = getIntent();
@@ -39,46 +39,46 @@ public class MainActivity extends Activity {
setResult(RESULT_OK, intent); // Safe
}
{
Intent intent = getIntent();
Intent intent = getIntent(); // $ Source
// Combined, the following two calls are a sanitizer
intent.removeFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
intent.removeFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
setResult(RESULT_OK, intent); // $ SPURIOUS: $ hasTaintFlow
setResult(RESULT_OK, intent); // $ SPURIOUS: $ Alert
}
{
Intent intent = getIntent();
Intent intent = getIntent(); // $ Source
intent.removeFlags( // Not properly sanitized
Intent.FLAG_GRANT_WRITE_URI_PERMISSION | Intent.FLAG_ACTIVITY_CLEAR_TOP);
setResult(RESULT_OK, intent); // $ hasTaintFlow
setResult(RESULT_OK, intent); // $ Alert
}
{
Intent intent = getIntent();
Intent intent = getIntent(); // $ Source
// Good check
if (intent.getData().equals(Uri.parse("content://safe/uri"))) {
setResult(RESULT_OK, intent); // Safe
} else {
setResult(RESULT_OK, intent); // $ hasTaintFlow
setResult(RESULT_OK, intent); // $ Alert
}
}
{
Intent intent = getIntent();
Intent intent = getIntent(); // $ Source
int flags = intent.getFlags();
// Good check
if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0
&& (flags & Intent.FLAG_GRANT_WRITE_URI_PERMISSION) == 0) {
setResult(RESULT_OK, intent); // Safe
} else {
setResult(RESULT_OK, intent); // $ hasTaintFlow
setResult(RESULT_OK, intent); // $ Alert
}
}
{
Intent intent = getIntent();
Intent intent = getIntent(); // $ Source
int flags = intent.getFlags();
// Insufficient check
if ((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) == 0) {
setResult(RESULT_OK, intent); // $ MISSING: $ hasTaintFlow
setResult(RESULT_OK, intent); // $ MISSING: $ Alert
} else {
setResult(RESULT_OK, intent); // $ hasTaintFlow
setResult(RESULT_OK, intent); // $ Alert
}
}
}